A Complete Hacking Tutorial

Posted at Monday, July 28, 2008

A Complete Hacking Tutorial

Anonymous guide on how to be a /h4ck/er on steroids.

---> Read this file top-to-bottom

•••Preliminary•••••••••••••••••
••••What•this•guide•is•••••••••
••••What•this•guide•isn't••••••
••••Target•Auidence••••••••••••
•••Programming•••••••••••••••••
•••Rules•and•Protips•••••••••••
••••/i/nsurgent•protips••••••••
••••/h4ck/er•protips•••••••••••
•••Professions•••••••••••••••••
•••Basics•••••••••••••••••••••
••••How•Computers•Work•••••••••
•••••Languages•Control•All•••••
••••Networking•Basics••••••••••
•••••IP•Addresses••••••••••••••
•••••TCP/IP••••••••••••••••••••
•••Raiding•9001••••••••••••••••
••••Websites•••••••••••••••••••
•••••HTTP•Botting••••••••••••••
•••••Session•Hijacking•••••••••
•••••XSS•••••••••••••••••••••••
•••••Breaking•Captcha••••••••••
•••••Phishing••••••••••••••••••
•••••DoS•••••••••••••••••••••••
••••••Weak•Spots•••••••••••••••
•••••R00ting•••••••••••••••••••
•••••Stealing•Information••••••
•••Resources•••••••••••••••••••
••••Tools••••••••••••••••••••••
••••Links••••••••••••••••••••••
••••Reference••••••••••••••••••
•••Closure•••••••••••••••••••••
•••••••••••••••••••••••••••••••


TODO:
Create a long list of keywords to learn
add how to cover tracks
Raiding 9001
-cover exploits regarding php/.net/j2ee/old CGI (c/perl)
*j2ee developed applications are pretty secure, but definetly cover this
*note to newfags: the extension doesn't garauntee what the platform it was
developed on. j2ee rarely ends in .jsp because the servlet usually forwards
to its context root "domain-url/Example" instead of "domain-url/example.jsp".

•••Preliminary•••••••••••••••••
Anyone can pick up and write to this file, don't drop names into it otherwise
it'll just get sage bombed. Any edits you put into there, submit to a new
thread and let ppl in /h4ck/ go over it to make sure it isn't wrong/or just
stupid.

••••What•this•guide•is•••••••••
-How to help an /i/nsurgency using techincal expertise
-Again, how to help an /i/nsurgency as opposed to personal vendettas
-Again, HOW TO FUCKING RAID teh internet, so its focused on websites
-if the terms like "lurk moar" for example confuse you, then this guide
won't help you, try:
http://www.google.com/search?q=%22how+to...2&ie=utf-8

PROTIP: If any links are broken, learn to waybackmachine/google.


••••What•this•guide•isn't••••••
-hOW tO bE a HaCkEr
-rooting. This is not another how to root guide but it will cover that for
newfags. Rooting != win. rooting will last for 2-8 hours. A well thought out
attack causes days worth of damage in data lost, and weeks of labor lost.
-any words like script kiddies or any other retarded shit you will hear people
on blogs/digg/fag dominion talking about. Funny how the biggest namefags
who love to talk about hacking the most 1) rarely hack or 2) never hack.
Its also funny how the later of the two write 90% more than the prior of the 2
-linux based. linux != hacking. knowing linux is helpful if u want to hack into
linux boxes. You have probably read other guides and noticed how they keep
reiterating that you must somehow use only or be a linux guru in order to hack.
That is just incorrect, however you will need to know some how to use linux
and be rather profecient in it as it would be pretty fail to not know linux,
then hack into a linux box using some script and then not know what the fuck to
do.



••••Target•Auidence••••••••••••
-if gb2/gaia, gb2/bed, or yiff in hell offends you, kill yourself. Anyone who
is a weaboo fag or jerks off to furry shit clearly doesn't have the capacity
to hold a non-remedial job let alone utilize techincal expertise.
-you need to be able to program, if you can't, then refer to the paragraph below.
-we are a legion of h4ckers, many of us are IT
proffesionals/comp sci students (in b4 CS III).
You'll probably end up on that path anyway, why
learn to program then not make good money at an ez
job am i rite? YOU THERE. WHAT IS YOUR PROFESSION?
-If you want to know the answer to "I have an IP what can I do with it"
this means that you don't understand computers very well
and need to learn some more before you attempt to give
out any expertise... Read the next paragraph and after
you do some learnin come back. You'll need to keep reading
shit and never stop... try to spend as much time on your
learnins as you have put into your faggot MMOs? Also
skip to the Basic section and read that before you program.



•••Programming•••••••••••••••••

if (!notProgrammer || (pLangauges.size == 1 && pLanguages.next() == "php")
|| shitpilenewb) {
If you can't program you will never know shit. You won't understand how any
exploit which you prolly /r/ but don't even fucking know why. l2/program and
LEARN IT GOOD + you will never stop coding once you do. When you see exploits
being mentioned, in the back of your mind you will understand exactly what it is
doing and how it works. Understanding and after that, knowing, IS THE EPITOMY OF
HACKING. You will never know shit unless you learn how computers work.

~^~
Learn a non interpreted language first. Rather, just learn C or C++, Java.
These languages are turned directly into machine code, which is then fed to
the CPU as opposed to a script, which is interpreted by a program. You will
need to learn about the stack, and other common programming topics so get a
good book. If you really want to be good, learn ASSEMBLY and learn how C/C++
is converted to assembly. Remember this:

High level language -> Intermediate language -> Machine code
an example:
C -> Assembly -> 01001010 <-instruction
i++ -> INC [i] -> 01001010 10001010 <- EXAMPLE,was too lazy to refer to *correct*
opcode so don't be a wise ass if you did refer and found the 0's and 1's were
completely wrong, because they just an example and I'm lazy.

Java works differently, yet you will prolly learn it in college. VB is not
helpful, it isn't like other high level languages. Do not learn it.

protip: c#, Ruby on Rails, J2EE and php will not help you learn computers/how to
program anything good. They are highly detailed in helping developers create web
applications. If the idea of *creating* a web game or forum interests you then
learn these as they will automize and make a lot of the programming required for
web development easy. Learn these afterwards though they are needed to
understand how web applications work.

~^~
WHAT THE BOOKS WONT TELL YOU YET WHAT IS MORE IMPORTANT:
-It is all about source code. You learn from source code. After you get the
basics down just google '"source code"+language'. Look at any programs that
interest you. basically, Read a little, write a little, REPEAT. This is what we
all do, no matter skill level.
-Every language has a common library for handling Strings, threads, etc. Some
pretty common code. You WILL need to know this just as good as the syntax so
quickly find the API reference for these. Fuck it here they are lulz:
http://java.sun.com/j2se/1.5.0/docs/api/ - java obviously
http://www.cplusplus.com/reference/ -c++
-LEARN TO FUCKING GOOGLE! This isn't because you annoy others, if anything ppl
enjoy strobing their e-peen to help you. But, listen. As paid software dev
I, and everyone of us google shit at work. Why? Because when you are a
programmer you REUSE code, and you want to find other libraries which already
work well and are very extensive. Whenever you get an error, type it into
google and you will get information pertaining to it.
-Only reason I recomend books is because they SHOULD tell you about the stack
and how computers work in general.

After you have read all of that, can you write a program that visits a webpage,
grabs all of the links there, and visits one of the pages in there? Then steal
all the emails in the page (as it looks for links). Then code it so that it
scans for forms and logs wether or not it found one and what the url was. If
you didn't write good functions (modular code) you still need to learn that or
else you won't be a good coder. Once you have this project up and running, and
can easily make changes (ie: easily add new functionality) to it then you can
move on.

Oh, and one more challenge: learn what the stack is, and then read this and
attempt to understand what a buffer overflow exploit is. These are very common:
http://www.cs.wright.edu/~tkprasad/cours...phOne.html

hint on what stack you want to read about:
http://en.wikipedia.org/wiki/Stack_(data_structure)#Hardware_stacks
^as not to confuse you with the abstract data structure.
Of course, if you choose java you still need to learn pointers.

So, finish both challenges before you can move on. DO IT FAGGOT!

tl;dr: learn java or c, then assembly and then stick to those for a while

} else {
so you can program? doesn't mean jack. You need be able to think creatively.
You need to know the "time of day", (hint: its always RAPE). Knowing what to
program is what you need to focus on no matter your skill level.

Other languages and stuff to learn:
Because we hit websites so much, you need to learn HTML and some
javascript, and css. Any other programming languages will be very similar
and learning them should only take 2-4 days. You should also understand TCP/IP
basics, proxies, socks, and HTTP is very important. Also learn binary (its a
number system, just like decimal... also learn hex, again an number system, not
something that you edit with a hex editor).
}



•••Rules•and•Protips•••••••••••
••••Rules••••••••••••••••••••• •

1) Do not namefag. Do not trust namefags. You need 7 proxies, but you'll need
9001 handles. Use a new handle AND proxy often. An internet handle is
as good as your FULL NAME and DOB once they do find your indentity. Going
around putting your handle in sploits or coding a bot then posting the link
in the channel with the SAME name over and over means you're a fucking
retard. WE ARE FUCKING CALLED ANONYMOUS FOR A REASON.
2) MODS = FAGS. This applies to ircops and channel ops. Do not "work your way
up" the hiearchy (hence don't namefag). I don't have anything against
these people other than their general name faggotry. We found out the owner
of partyvan IS A G-A-I-A FAG during a raid. Don't trust mods and nevar trust
a namefag.
3) Contribute solutions with the goal of "Getting the job done". Raids need
coders. Some of it it common shit like a bot that spams shit on forums or w/e
messaging. The idea is to take the best strategical course of action. Find or
start a project which will either result in absolute lulz or rape (hence
"whatever works, whatever gets it done"). The idea is to maximize rape, not
grow an e-peen. If you don't be a namefag then growing an e-peen won't
factor in, and you'll understand how important contributing is.

••••/i/nsurgent•protips••••••••

*) Switch your name often, you are anonymous. If you want attention or have some
other pyschological needs you can join g00ns. Nothing against them but they
will offer you what you want so that you don't douse decent lulz worthy raids
with your general faggotry.

*) Proxy now instead of later. Even though no shit will happen to you by just
entering a channel if you later decide to do something illegal, then keep the
same fucking name you logged in with that links to your ip, which your ISP
will be able to link to your SUBSCRIBER ACCOUNT/BILLING ADDRESS then yeah,
you're a faggot and deserve jail raep.

*) Contribute and post screen shots on teh chans + talk some. If anyone kicks
you, show them your screen shots of lulz.

*) You do not need to be an ircfag. Ideally you wouldn't be lurking there at
all and all of your work should be posted to boards but the irc is
effecient. Would be very hard to talk, collaborate and have good intel on a
chan.

*) Do not worry about "working your way up the irc channels/mods." Infact, you
shouldn't be doing that at all. If you are looking for social
interaction/importance then gb2/gaia. Also, if you are from gaia or are just
a fag in general and are looking into this because you think it's "trendy",
you will be doxed in matter of time, could be as soon as a week, or later in
a month, 3 months, eventually, if you don't gb2/gaia and stay there.


••••/h4ck/er•protips•••••••••••

If you think rooting = the ultimate hack then you're a shitpile n00b. If
you want to make an impact, and lulz over what a group, communitty (fags) and
company had to put up with from what you did with your keyboard then this
guide is for you. Also, this isn't a pissing contest. Nobody gives a shit about
how good you may or may not be. Also if you are anonymous, this wouldn't apply
because in effect, you don't exist, but your work does.

*) Blame it on a namefag. Anything you write, claim credit for it, using
someone elses name. Party van tracks us the same way we dox faggots:
tracing aliases is step #1. Afraid that your exploit will cause enough
monetary damage to warrant an FBI investigation? Hop onto the partyvan irc
find a random namefag there and blame it him for teh lulz.

*) Do collaborate with other h4ckers and learn from them. Share source code at
your own descretion. Also you can offer help if you know a lot about a
particular field (ie: if its your irl job or something you happen to know
the ins-and-outs of).

*) Learn how to hide your tracks and the internet fucking works before you
start talking, let alone doing anything illegal. Learn how proxies do
give you secruity, yet can be compromised. Learn how Tor works.

*) Don't read from white hat websites. These are shitpile havens for idiots.
The problem with most people is that they want to appear smart, but only for
the sake for impressing others. Most of their shit is later proven wrong (as
it eventually has to be since they go around informing too many shitpile
noobs who believe everything at face value and can't fucking learn how to
filter out noise-to-content). Most of the websites are making money off of
adsense, if that helps you at all. DO ORIGINAL FUCKING RESEARCH AND TEST YOUR
OWN WORK AND IF YOU CANT LEARN HOW TO FILTER OUT SHIT FROM GOOD THEN YOU WILL
NOT GET ANYWHERE.


•••Professions•••••••••••••••••

People are only good at what interests them so pick one or several you like.
Someone else can flesh out moar professions here. Again, profession != skill.
Skill is up to you and your creativity. A simple programmer can beat out a
software engineer if he is more creative.

Programmer
\
\
Software Engineer
|
|
Vxer

Programmer
-Understands a programming language, hopefully C or Java
-Can help with writting some tools, but fails to understand how to
code some things or needs help.
-Can read source code of tools and understand them
-Should be reading a lot of source code to become better

Software Engineer
-Able to create tools for raids. Very helpful, somewhat common
-Able to find simpler exploits, such as XSS
-Able to exploit the already discovered

VXer
-Highest level of Coder, a virus writer/GOD
-Knows Assembly very well. Works from the lowest level, most difficult.
-Able to reverse engineer software and discover trade secrets and exploits
-Can discover software exploits well/buffer overflows/good ones
-rare to non-existent. Needed, but most difficult.

This is just to give you an idea of whats out there. This is in no way some
kind of theory or application.



•••Basics•••••••••••••••••••••� �

At this point everyone knows how to program. Don't be concerned if you are new
and you still have more questions. This part of the guide will be the last to
teach and cover basics. Often times the problem in /h4ck/ is that there are
questions from noobs who just don't know computers or networks work in general.
Knowing how to program is the only way to understand how computers AND networks
actually work. There are some basics that are needed to be covered.


••••How•Computers•Work•••••••••

If you are really new, just google it and read a simpler guide b4 reading this.

Everything occurs at the CPU, essentially. And it is sequential; one at a time.
NOTHING on your computer runs simultaneously, even on dual processing because
one of those CPU's has to wait for the other to finish :P. It's simply breaking
up what one CPU would have done anyway, ONLY IF the programmer designed it for
duo core (threading according to that architecture). Often times you can hit
ctrl + alt + del and see a process like a game consuming 50% of your CPU
because that game, like most every other program to date isn't designed for duo
core. ANYWAY, back on subject:

Everything in the computer occurs in steps of finite time, ONE by ONE. This
time is known as the system clock, which runs at a certain Mhz. Let's say its
133Mhz. However the CPU runs faster, yet on the same clock speed. How? It runs,
as set in the BIOS (check yourself), at a multiplication factor of the system
clock. So say it runs at 9x (system clock), or 9 x 133Mhz = 1297 or 1.3 Ghz. So
the CPU can do 9 operations before System bus (which runs at the speed of the
system clock) will be accessed (if needed) to get something from RAM, an HDD, or
a device. As a computer user, the only thing you ever do on a computer is play
around with the CPU, using an application to do this for you. THE CPU then
reads/writes to every thing else in the computer... the CPU controls the rest of
the computer. As a programmer you control the CPU much more closer. Obviously
you can't do shit on a computer if you don't understand it, and you can see
where programming comes in as a need to know. Also, multiple programs ONLY seem
to run on a computer simultaneously, but they are, in reality, being given a
small fraction of time to run, in a priority queue, then kicked off the CPU by
he OS's CPU scheduler, given to the next process in line. For the noob,
process = program. Program = simple user level talk.

The goal of any hack is to get access to the CPU essentially. Obviously root or
and admin account would be prime access to run the best applications BUT if you
can inject your own code in there during a user session (often called shell code)
to give you such an account or higher level system privelage then you are in.


•••••Languages•Control•All•••••

A non-interpreted language is compiled directly into executable objects. These
are files, often in a particular OS format (Like PE Format for windows). Within
this format will be the .text session which contains all of the CPU
instructions. This object file, like a .exe on windows, is loaded and given its
own id and the CPU scheduler determines when it will be loaded in. System
processes are given higher priority, but they pretty much take turn. Windows
uses a 32 priority queues. The top 16 belong to system processes. The secheduler
starts with the highest number queue and works its way down until it finds a
process that needs to run (its status will be set to waiting, as in its waiting
to be ran on the CPU.) Otherwise its status will be blocked and it won't run
on the CPU because it doesn't need to. Also it could be waiting for I/O, which
is relatively VERY slow compared to the CPU. This is where multi-threading
comes in. One thread will do I/O so that the entire process isn't blocked. This
is how a good DoS tool works too, so that it doesn't do 1 crapy request at a
time, but uses many threads for each I/O.

The only way you will do anything on a computer is through a process. If you
can't write processes, or engineer your own code into one (buffer overflow),
then how you can ever claim to be a hacker? There is no flashy program that
"hacks", or even a command line tool. And linux has nothing to do with hacking
other than the fact you need to know what the fuck to do on a linux box provided
you get into one. Would be pretty fail if you get in but have no clue as to
what to do. And an OS is all code just the very same way a process is, save
for the fact that it is the process which is originally loaded, and takes
complete control over all of the computer and only allows other processes to
run on time-shares.

As a hacker you will always need to do something tailored to your needs, there
is no already precompiled solution for everything. And why wouldn't you prefer
your own control over the computer instead of an application? Users are forced
to use applications in order to get the computer to do what they need. A hacker
forces the computer to do what he/she wants it do do based on his/her wants.
Of course you are never to re-invent the wheel if what you are doing is
sufficient to something else already done, however often times the task at hand
holds intricate requirements. For example if you're installing a virus on a
machine that you want to it to initiate a DoS at a certain time (maybe
whitehouse.gov? :S), you should definetly use a module somewhere already written
for that, provided it doesn't trip any AV. No point to re-write something so
simple and obviously something incribly modular like that.


••••Networking•Basics••••••••••

Protip: A server is a process running on a *PORT*. The service running on that
port is a server. Colluiqally a server is a machine, techincally it is a
service that a client connects to.

Basically, it is just: computers running routing software (aka: A ROUTER!) +
DNS lol.

The internet is a network of networks, interconnected at certain high volume
areas. If you and your neighbor are on the same ISP then when you connect to
his pc for a game or w/e then you only hop to routers located within that
network. Subsequantialy your traffic will never leave that town. However if the
same neighbor was using a different ISP your traffic would prolly be routed to
DC, New York, LA, Atlanta, etc some major city where the two ISPs can be
traversed there.


•••••IP•Addresses••••••••••••••

Again, the internet is a network of networks. These networks are inter-connected
(hence internet!) via routers. Networks like universites and ISPs, which then
are routed to much larger networks like level3 for example. The way an IP
address works is yes it is like the "virtual address" of your computer. But
here's whats worth noting... An IP address is routed (obviously by routers) to
its destination based on the IP number itself, and of course the router's
following of TCP/IP (using routing tables).

Certain organizations are granted blocks of IP addresses, for example Havard
was granted the entire 128.xxx.xxx.xxx (class A) block awhile ago. This
obviously isn't done anymore. Routers will forward packets based on the
destinatino IP address until it gets closer and closer. Examining the class
A.B.C.D needed. Techincally you can setup your own home network and give your
machines whatever IP you want, packets will be forwarded based on your routers
tables. Obviously this network and its current configuration will never be
asked by any other admin from another network if they want to connect the two.

A LAN, still running on the same TCP/IP protocol that the internet uses will be
use internal IP addresses to route its traffic. These IP addresses are in the
format of 192.168.x.x. These do not and are not routble on the internet, they
are reserve to route to local area networks. So yes, behind a network when you
want to connect to something like 192.168.1.2 you might connect to a printer
setup on your home network (if your printer is configured to be accessable over
the network, and obviously it will be physically connected to a router...). Most
people are given a router/modem combo from their ISP, thus this paragraph
explains why your IP address appears to be 192.168.x.x instead of whatismyip.com
will tell you (which is the external IP address of your router). It's internal
IP address will be in the format of 192.168.x.x. Learn more about ARP to get the
full picture.


•••••TCP/IP••••••••••••••••••••

TCP/IP is a suite of protocols. Keep that in mind. It encompasses ones you have
most likely heard of: TCP, UDP and IP. Also, IP Address = part of the IP
protocol; they follow it and pertain to the rules. Routers do the same so that
they can read IP Addresses and forward them correctly.

Read a book on TCP/IP. You can sorta skip the ISO network stack and focus on
TCP/IP part. Basically, the tl;dr version:

[Phyiscal layer][Link Layer][Network Layer][Transport Layer][Application Layer]
This describes how data is sent in packets. Each packet has the following
layers. Each layer is built in order for each part of the network to forward it
to its destination. These layers break up the packet, since it is just data,
hence why its called a datagram. Each layer is added by the appropriate
software.


Now to explain the layers in the order that they are *READ*:

Physical Layer - This layer is read by equipment that telecom companies operate.
Like switches, trunks and other boxes in CO stations. We don't really delve into
this here :S

Link Layer - Typically This is used for how data is transmitted over an ethernet
cable. Router can read this, use the MAC address (every device connected to a
network has a MAC address, not just NIC cards). This layer contains the MAC
address.

Network Layer - This is THE IP layer. It contains the destination IP address and
source IP address (your IP address). This is what routers will read in order to
forward your packet over the internet). They will read and replace each Link
Layer inorder to forward them to a the next router, but while any packet is on
the internet, this packet is not replace, but it is definetly read at each
router. Again, IP Address = THE TCP/IP protocol. Rather, one of the

Transport Layer - Typically either TCP or UDP. This layer contains information
relevant to the connection. This layer contains the port number, and is only
needed to be read at the destination's machine TCP/IP software. However "deep
packet inspection" can read this, as well as NAT-routers which have to read it.
Anyway, TCP is the connection based protocol, UDP is completely connectionless
alone, unless the application simulates a connection using its own rules. Just
read over these two in a book, you'll get the complete understanding + PICTURES.

Application Layer - The application layer is JUST data for the program that uses
the said connection. This data is the content of the connection. The application
writes whatever it wants to to this stream and reads all content from it just as
though the two weren't connected to the internet. This is how the Layer approach
strictly divides and SEPERATES data so that things run smoothy and simply.



•••Raiding•9001••••••••••••••••
Internet Hate Machine + techincal expertise = ???

Most likely a website raid. This is not a PA how to hack your ex-gf/stalked
victim's PC. You prolly don't even have the capactiy to do such anyway :S
But that doesn't mean PC hacking is off limits. If you can hack a website's
webmasters, developers or mods PC and procude MUCH lulz. The sky's the limit,
after all... so nothing is off limits, ever. As an /i/nsurgency we focus on
websites, so keep that in mind.


••••Websites•••••••••••••••••••

The target is not a web server. The target is the target and anything related
to said target. This includes the web server, the staff, the communitty. Also,
rooting != the end all win, not by a long shot. It will last for a couple of
hours and be patched up, but none the less its pretty win pyschologically. The
goal is to cause as much damage as possible, rooting can be done, but it is
garuenteed that there are other more actions that will cause much more damage,
and lulz than an attack lasting only for a couple of hours.

You will really need to know some basic TCP/IP, completly know HTTP and know
HTML, and some basic javascript. The js is to help your emulate incase the
js is redirecting or modifying something that will end up in a POST request
AND for XSS obviously.


•••••HTTP•Botting••••••••••••••

Highly effective against online communitties. These drive the owners, members
and devs fucking crazy, costs them a lot of money, and is a constant annoyence.
From viewing Moderator forums that a fellow anon hacked in, it was seen that
the devs and mods f-u-c-k-i-n-g hate bots. So, when raiding, BOT every thing
you can. Always bot the content reporting systems to fuck their ability to
report shit up! They will respond with adding a captcha = also win. Then move
onto other things, such as their forum, and whatever else can be spammed.
Be sure to write RE-USABLE code so that when you from one system to the next,
you can write each spammer (which is an HTTP Bot) quickly and easily. Hint:
Use object oriented programming, and have an HTTP Bot class which can be
extended easily.

The steps to botting are fun and simple. Also, provided there is not a very
complex CAPTCHA, YOU CAN BOT ANYTHING. As long as your browser can do it, you
can bot it. Because botting is just emulating your browser. If you ever run into
a problem its because you are not emulating the web browser closely enough. Also
allow all of your bots to use tor or some other user specified proxy.

0) Learn HTTP. Read up on this protocol, you'll learn a lot of need-to-know shit

1) Emulating the target service. Run IE, clear cookies (because your bot prolly
won't save cookies once it closes (it will save them and use them of course),
and of course, your bot will not initially have any cookies the first run
anyway. Now run Fiddler2. Examine the request and responder headers. Ignore
any SSL (port 445), images, css. But take note of HTML and JS. Don't read the
HTML lol, just copy and paste it into a new .html file on your computer to
quickly view it or use Fiddler2's integrated browser. SAVE this for later use.

2) Now that you have mapped out the details, begin coding. You'll want emulate
any POST requests, find the post parameters and anything in the query string.
This is how u emulate your requests. Also try to copy certain HTTP request
headers, like referer, user agent, and the one that says "Form encoded" is
imporant. However, you should be using something like Mechanize (for perl), or
Apache Common's HTTP Client (for java). Something which takes care of handling
cookies and emulating a lot of the browser. You won't need to set a lot of those
headers because you need to use something like the prior mention to do that for
you.

3) Run your bot, but set your program to use an HTTP Proxy, running on port
8888. This is fiddler2, you'll want it to connect thru that so it can read your
bot. Than compare this with your saved copy and see where you are not emulating
correctly.

4) Maintenance - If the target website changes something to break your bot, you
will want to use fiddler to see where you bot doesn't correctly mimic IE, by
comparing the two Fiddler sessions (1 from IE, and 1 from your bot). Otherwise
if they added a CAPTCHA you win. Next would be breaking the captcha OR writing a
tool which automates captchas so a fellow /b/tard can solve them to produce lulz
Ideally if you can write this as a web app so ppl can just visit the web site
instead of d/l something that would be pretty win. But CAPTCHAs are becoming
broken more and more every day so look into that.

5) This isn't the fitth step but, rather a note. You will want your bots to be
multithreaded. If they aren't they will only be able to spam one at a time. If
they are multi-threaded, you can load several accounts in at a time.

Finally you will want to create an auto captcha program. This will bot targets
user registration system and allow you to only enter 1 captcha to create a
program. Eventually the target might start to check that client isn't running
a proxy on port 80, or port 8080. As well as begin ip b& automatically after
a certain number of registrations. In this event, you will need to have a LARGE
list of GOOD proxies that you can server up on a web server so that your
spammer programs can call this list and get a fresh proxy server. You can use
a combination of web spiders and wget to build your own proxy list. Also at
the time of this writing, there is a current anon project related to just this.
Hopefully it will be up indefinetly.


•••••Session•Hijacking•••••••••

-grab cookies
-simple take all cookies (just a string), and use Modify Header firefox
extension to login as victim


•••••XSS••••••••••••••••••••� �••
-XSS basics
-make sure to hide xss from devs
*Do not ever submit xss in the form of Alert("whatever"). any user/dev will
find this and fix it. Use a combination of grease monkey/FIrebug to set
arbitrary DOM objects to arbitrary values that you can test are set. Refer to
tools at bottom of this file.
-XSS worms
*an xss worm is one that uses JS to redploy itself. EX:
Take a social networking website that has an xss exploit:
The exploit allows the attacker to run whatever javascript they want to. so,
if they use JS to direct their browser to send a message to someone, or they
implant the js into their profile it will spread like a virus. Then give it
a timed or triggered payload and BAM, CP on everyone's profile page!


•••••Breaking•Captcha••••••••••

-Some captchas = shit
-others are good, like google (yet all are breakable)


-Use erosion to filter noise (eats away pixels with little density)
-convert to binary image (black and white only)
-segment (pull each letter out)
-if the words are complete words, use dictionary.com (open an http socket
obviously...) to improve accuracy.


•••••Phishing••••••••••••••••••
-use previously written spammers on target website to profiferate links.


•••••DoS••••••••••••••••••••� �••
Really need GOOD information on DoS. A lot of retarded shit out there.


•••••••Weak•Spots•••••••••••••••
Weak spots to focus on besides just Bandwidth and network software.
ex: searches can tap the CPU harder.
weaklest link theory: The is a bottleneck somewhere. Find it and exploit that
area. If attacking hit the weakest area, thats fundamental to every attack,
so it goes with DoS too. There are people whose job it is to tie up these
weak areas. This part of text file needs to go over how to find them.
Like with teh subeta raid, and how they used the forgot email service.


•••••R00ting•••••••••••••••••••
Need a good guide on this


•••••Stealing•Information••••••
Using wget to steal thousands of yahoo emails and any other
infromation to spider-bot out of them.



•••Resources•••••••••••••••••••

For the shitpile noob: NO THERE ARE NO FLASHING PROGRAMS THAT HACK SHIT. THERE
ARE NO COMMAND LINE PROGRAMS THAT WILL HACK SHIT LIKE FROM WHAT YOU HAVE SEEN
IN A MOVIE. YOU HAVE TO ENGINEER SHIT, THESE TOOLS ARE FOR ENGINEERING.

Also, the /h4ck/ board should be a good resource if you can initiate a good and,
thought provoking conversation about something you have questions on but just
don't get from what google tells. Sometimes the answers are out there but they
are too good to be simply found on google + too many idiots have websites that
can really create a high noise to content ratio, making any good infomration
very well hidden. Plus anything you ask which is good can be seen for others
who hopefully had the same question, even someone more expereince may brush up
on a certain topic posted. But, do not ask stupid shit pile questions like
"what can I do with an IP," or ANY windows support questions. Support type
questions like "how do i configure [hacking related tool] to do ______" are
fine.


••••Tools••••••••••••••••••••• •
Fiddler2:
Great HTTP Debugger (the best + free too). It runs as a local HTTP Proxy in
so that it can read your http connection. This is completely transparent and
your connection is no different, other than the fact that you can read it as
well as decrypt HTTPS connections that you normally wouldn't be able to. Your
browser will give you a certificate warning. To use this HTTP Proxy with FF and
more importantly any http Bots that you write you will need to configure them
to connect to an HTTP proxy running on port 8888.

Firefox Addons:
Modify Headers:
You can use this to modifiy the "Cookie" header if you steal someone's cookies
from a login based website and you want to login to that session.

Firebug:
Find the DOM inspector. Also, lots of helpful tools that are needed. A personal
trick of mine for finding XSS is to have the JS set some random object you see
in DOM to something like 555, then use Grease Monkey to check if that value is
equal to 555 and have your greasemonkey script do an alert("XSS found"). BECAUSE
YOU DO NOT WANT THE ENEMY DEVS TO FIND YOUR XSS.

http://www.checker.freeproxy.ru/checker/index.php:
Proxy Checker


••••Links••••••••••••••••••••• •

The following links have been checked and cleared for not containing stupid
shit. That is, you will not become more of a retard by visiting these websites,
unlike certain websites. Whats worse than not knowing is thinking that you know
something, having spent time learning it, and just being a fucking retard for
having believed it at face value and been spoon fed utter crap, then sharing it
and passing it on as "real inforomation" to others. So, here be good links,
don't edit in links from crap websites with utter shit:



http://vx.netlux.org/
Great website for VX scene. rather, the only one lulz.

http://vx.netlux.org/lib/static/vdat/ezines1.htm
mostly old zines, but some good reads

http://www.textfiles.com/
again old, but might as well go over some history

http://www.phrack.com/
http://img.7chan.org/pr/



••••Reference••••••••••••••••••

http://www.googleguide.com/advanced_oper...rence.html
Very useful reference.







•••Closure•••••••••••••••••••••

Last tips to reiterate:
-you must know how computers/networking work. You must learn how to program
for that to happen since OS = software. What you want to hack = software.
-stop reading white hat websites for any information. Do your own research.
-do not work your way up the irc. MODS = FAGS
-stay the fuck anonymous.


In the end, Anonymous is for hackers, other than solo. The two just fucking go together. Don't
ruin it with namefagging and don't ruin your life in jail because you made a
mistake. Party van dox people just like we do... start with a screen name. But they
have access to much better infos than we do.
As for the party van... and all other namefags who write disclaimers regarding
their text file as being for educational purposes only: Fuck em.
We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.

1 comments:

Anonymous said...

Really good .. Vinox