Hacking Web Pages
Originally an Email to me. this one is on hacking web pages, and i included
alot more information on other methods than the traditional passwd file method,
which most the web page texts are on in the library right now. I fixed this
one so it doesn't scroll on and on like my text on passwd files [=. Goat -***Hacking
Web Pages***- by Goat Introduction Please know that hacking webpages is consitered
lame in many's opinions, and it will most likly not give you a good reputation.
People can always check logs once notified of hacking and most likly your address
will come up and then at worst they will press charges for some elaborate computer
crimes law and you will goto prison for up to 10 years and owe alot of $. So
please attempt to refrain from abusing your knowlage on this subject. This is
for informational purposes only. "Free" Web Pages Free webpages is
web page hosting companies like Tripod and Geocities that host peoples web pages
for free and make money off advertising. There is ways to hack these companies
and have access to all users, but it would be to complex for most people. This
way is simply social engineering which is not very hard to do, so don't proclaim
yourself an Uberhacker because you vandalised a poor guy's webpage, who just
happened to have his information on his site. All you have to do is set up an
account with a free email service like hotmail and find your target. On your
targets page up need to have the date of birth, name, and their old email, or
instead of the DOB there address (I have lost my pass to a smaller company,
and they needed the address i had registered with). All these free web page
companies have their "verification" for people who have lost there
password to their page. All their is to it is once you have this information
is you either email the company telling them you changed your email address
and once that is done wait about 2 weeks and then email them again saying that
you lost your password. Most will email you telling you that you need some sort
of verification, like the DOB or Address. In which you email them back and tell
them and get a new password. On the other hand, companies like Geocities are
too busy for email so they have set up a web site where members can get there
password back (http://www.geocities.com/help/pass_form.html). User's Pages There
is many different methods of hacking users web pages on a server. I will attempt
to list as many ways possible but don't expect very much in depth information.
Getting Passwords Okay suppose you found a page you want to hack, that is on
someone elses server thats a basic server, light security. Okay very light security.
I will be truthful. This pretty much works on servers with no security [=. Getting
a passwd file is pretty easy. Simply telnet into the servers FTP anonymously
and look in the ETC directory and get the file called Passwd. Another way to
get them is to find your target and in a WWW browser type cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
after the servers name. For example the name may be http://www.hackme.com/,
you would goto http://www.hackme.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
except instead of www.hackme.com you would replace that with your targets URL.
You may get a passwd file that has no user accounds, but only defaults which
where the encrypted password should be a * would be in its place. On certain
servers with this you may have a shadowed passwd but on all passwd files i have
come across there is some user names like FTP and NEWS that have no encrypted
passwords which is replaced with *. If you find only this and no encrypted passwds
you probably have found a fixed passwd file and you must try another method
of hacking the server. You need to examine this file and look for a line in
the text that looks like this: rrc:uXDg04UkZgWOQ:201:4:Richard Clark:/export/home/rrc:/bin/kshdoes
not need to look exactly like that, the only important part it needs it the
uXDg04UkZgWOQ and rcc, which is the login part. Get a program called John the
Ripper whcih can be found on any hacking site on the web. If you are to lazy,
or stupid to find one on the web heres a good place to go for newbies http://www.hackersclub.com/km/
I will not go in depth right here on passwd files, but i have written a text
on passwd's going good into the subject which can be found at http://www.xtalwind.net/~lmclaulin/ugpasswd.txt.
Anyway, using John the Ripper is easy, if you want to quickly hack something
give the command (in DOS prompt) "john passwd -single" Replace "passwd"
in there with the name of the passwd file, you may have saved it as passwd.txt
or something. An important thing to remember is that the passwd file needs to
be in the same directory as John. To see a list of other methods for cracking
a passwd file, just type John and it will give you a list of commands. I have
found john won't work for me with wordlists but other people say that it works
fine for them. You can use incremental mode (to use that the command is "John
passwd -incremental" It takes like a few days to finish so I wouldn't really
want it to let it go on forever and ever if it was just some normal passwd file.
Unless its like NASA's passwd file (keep dreaming, they probably change passwords
everyday and that file is very outdated) I wouldn't want to use that too much.
To see a complete list of John's cracking capabilities, just type john and it
will give you a list of commands that you may use. If you Have an Account with
the Users Server The next section is on how you can hack a webpage if you already
have an account with the server. This was taken from a text by Lord Somer and
since i don't want to butcher something important out of it I will just keep
the text in its whole form. Exploiting Net Adminstration CGI (taken from a text
by Lord Somer) ####################################### # Exploiting Net Administration
Cgi's # # like nethosting.com # # Written by:Lord Somer # # Date:9/2/97 # #######################################
Well since nethosting.com either shutdown or whatever I figured what the hell
before I forget how I did the more recent hacks etc... I'd tell you how so maybe
you'll find the same sys elsewhere or be able to use it for ideas. Basically
Nethosting.com did all it's administration via cgi's at net-admin.nethosting.com,
well you need an account, card it if necessary, log in to net-administration,
you'll see crap like ftp administration, email, etc... who really cares about
e-mail so we'll go to ftp. Click on ftp administration. Lets say you were logged
in as 7thsphere.com your url would be something like: http://net-admin.nethosting.com/cgi-bin/add_ftp.cgi?7thsphere.com+ljad32432jl
Just change the 7thsphere.com to any domain on the sys or if in the chmod cgi
just del that part but keep the + sign and you edit the /usr/home dir. In the
ftp administration make a backdoor account to that domain by creating an ftp
who's dir is / since multiple /// still means /. Once you have your backdoor
have fun. Oh yeah and in the email you can add aliases like I did to rhad's
e-mail account at 7thsphere, why the hell is he on that winsock2.2 mailing list?
Well the basic theory of this type of exploitation is that: - the cgi is passed
a paramater which we change to something else to edit it's info - since it uses
the stuff after the + to check that it's a valid logged in account(like hotmail
does), it dosen't check the password again. - multiple ///'s in unix just mean
a /, thus we can get access to people's dir or the entire /usr/home dir I used
this method for hacking a few well known places: 7thsphere.com sinnerz.com hawkee.com
warez950.org lgn.com and several other unknown sites. Please remember if you
ever use a method of mine please credit me and link to my site thanks. ########################################
# Contact Info: # # E-mail: webmaster@lordsomer.com # # ICQ: 1182699 # # Site:
The Hackers Layer # # http://www.lordsomer.com # # Other Sites: # # Hackers
Club # # http://www.hackersclub.com/km # ########################################
Other Ways Of Hacking User Pages Another method that may work with really stupid
Admins is sometimes, when you FTP to a server, you can leave your home directory
and go back a few directories and find your targets directory. Once you have
done that if you can access the HTML files and save them to disk and then "edit
them". The HTML files may or may not be stored on FTP but with smarter
admins they are not accessable by other users. Things that Don't Fit In Other
Catagories There are many more ways of hacking web pages. Peoples stupidity
is a good way. Many passwords are guessable if they are not hackable. Its not
hacking but simply using a persons stupidity. If you were to get root on a server
you could have access to everything on the server, so if you wanted to hack
a servers webpage (or access anything else you want on the server) you would
probably have to get an account and you could run an exploit on the server,
but that is something newbies should probably not try until you know more about
what you are doing. Why Hacking Web Pages (and other things) is a Bad Idea...
Hacking web pages is an obvious signal that someone has hacked your server,
which can reminer to forgetful admins to check there logs and immediatly call
your ISP to cancel your account along with the FBI to come bust you on some
elaborate computer crime law. Hacking school grades is another stupid thing
you should never do. I know its off topic but its important to remember, because
they are two things that both get people busted alot. Don't believe me? Let
me show you a few pieces of articles from news at the hackersclub. The entire
article (instead of the parts where the hacker got busted) may be read from
the address beneath each section. "Kubojima is accused of taking over seven
web pages of the Osaka-based television network Asahi Broadcasting Company on
May 18 and replacing five of the seven weather charts on the pages with pornographic
pictures. He also faces charges under Japan's anti-obscenity laws. If convicted,
Kubojima faces a fine of one million yen ($8,600) and a prison term of up to
five years under tough penalties against hackers adopted in 1992. " http://web5.hackersclub.com/km/news/1997/may/news4.txt
"He is 18, and may be looking at up to 10 years in prison. He hasn't stolen
anything, he hasn't hurt anybody and many familiar with the crime that he is
accused of committing say the possible punishment borders on the absurd. The
18-year-old and a 17-year-old friend, police say, broke into a computer network.
They added some funny pictures to a World Wide Web site run by the network operator,
a Texas Internet service provider called FlashNet, police say. The two figured
out some of the user names and passwords used by FlashNet customers. Then they
left. The 18-year-old was arrested on suspicion of third-degree felonies that
carry a sentence of two to 10 years in prison and a fine of up to $10,000. His
friend, who was arrested on suspicion of a less severe misdemeanor, faces up
to a year in jail and a $4,000 fine. " http://web6.hackersclub.com/km/news/1997/august/news3.txt
"Student faces felony for hacking grades From NewsTalk 750 WSB A 15-year-old
Florida High School student faces felony charges for allegedly hacking his way
into the school computer to change "F's" into "A's." Jason
Westerman claims it was only a joke, but he faces felony charges for offenses
against intellectual property and computer users. He's been suspended for ten
days. Westwood high school administrators want to expel him. " http://web6.hackersclub.com/km/news/1997/june/news4.txt
Getting busted hacking will not be a fun process unless you like paying $10,000
and having a date with someone names Spike in the prison's cafateria for the
next 3 years. Be wise about what you leave behind, because soon you may be suprised
by a knock at the door by your neighborly FBI agent.