• Content count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About m0untainrebel

  • Rank

Contact Methods

  • Website URL

Recent Profile Visitors

1,211 profile views
  1. I'm also interested in learning assembly. I just ordered the book Reversing: Secrets of Reverse Engineering. It looks like it's covering a lot of the stuff I'm interested in learning, and has good reviews, but I haven't actually gotten it in the mail yet.
  2. Actually, someone figured how to install OS X inside vmware, and made a torrent of it (not that I endorse downloading anything illegal or anything like that...). They pretended they were installing FreeBSD, cause I guess OS X is a similar operating system, and it seems to work. On my computer it was very very slow for some reason, even when I give it 1gb of ram, and I never got networking working, which is pretty essential, but I also didn't spend too much time trying. I was using a linux host, but a windows host should work fine.
  3. I don't know exactly what you need, but aircrack-ng is one of the most painless programs to compile and install from source. I don't think there are any dependencies that don't come with most systems. The latest version (1.0-rc1) source is here: http://download.aircrack-ng.org/aircrack-ng-1.0-rc1.tar.gz Just follow the install instructions.
  4. I'm interested in different techniques of modifying malware executables in windows so that they don't get caught by antivirus software, like the defcon16 Race to Zero contest. My understanding is that most AV software is signature-based, and only searches the disk (not ram) for blacklisted signatures. So, to evade AV software, you just need to change the binary code enough to have a different signature. muts did a cool presentation at shmoocon called Pissing on Your AV where he did a neat trick with XORing the data on disk and unXORing it in ram, to change the signature. I'd imagine that if you have source code for the malware, you can probably change it around a bit, maybe even do some random math, and recompile, and the signature would be different. Does anyone know of any resources for more info on this sort of thing, or howtos for different techniques? There have got to be a ton of different ways of doing it. Thanks!
  5. Pirating software isn't stealing, even if you never bought the original copy. If you made a copy of the software and then hacked into the software company's network and deleted their only copy if it, well, maybe that would be stealing. "Intellectual property" is a concept made up by big companies to rip you off.
  6. If all you want to do is wardriving, vista with netstumbler should work. But if you want to do much more than that (packet injection, cracking encryption, etc.) I suggest using a linux distro and grabbing aircrack-ng. Backtrack3 is a good choice, and it's a livecd so you can just boot to the cd if you want instead of installing it.
  7. Since I do a lot of web design and website programming, I normally make sure I have geany (a great text editor) and gftp, and then I normally set up and configure apache, MySQL, and PHP, with all the appropriate modules, making sure the services don't start automatically. Then I set up tor and privoxy. I also set up enigmail for Thunderbird to make gpg encryption easier, and torbutton, noscript, and web developer toolbar for Firefox. I also make sure I have nmap and aircrack-ng. Most other things I just set up as I need them.
  8. lugner, i don't have access to files on the server. i need to be able to figure out how to exploit this script without changing any of the files. and yeah, i actually tried using a backslash, and it didn't work. the server i'm working is a LAMP setup. interestingly enough, it seems that this server just tries to escape my backslash, so if i try looking at ..\file.php, it actually tries ..\\file.php, and says that file doesn't exist.
  9. i found a php script that looks a little like this: dnl.php: $url=$_GET['file']; $url=str_replace("/","",$url); echo hexcode(file_get_contents($url)); hexcode() is defined somewhere else, and it basically just reads a file, converts it to hex, and displays it to the page. so i can use this to figure out the contents of every file in the current directory. so i can go to dnl.php?file=whateveriwant.php to get the contents of it in hex, convert it back to ascii, and see what it does. the second line cuts out slashes, so if i go to dnl.php?file=../../whatever it turns $url into "....whatever", or dnl.php?file=/etc/password makes $url "etcpasswd", which are both invalid filenames. i've tried putting the hex character for slashes in the url (dnl.php?file=%2Fetc%2Fpasswd), but that still creates the slash character, which still get stripped. i even tried using php's string processing to get it to work, with a url something like this: dnl.php?file={$_GET}&url=/etc/passwd with the idea that $url would be stripped of slashes (and there are no slashes in "{$_GET}") and instead pull up the value of $_GET['url'], /etc/passwd. didn't work. this small script is so small and simple, there's got to be some way for directory traversal to work. any ideas?
  10. well, for this example i'll just use binrev.com. we know that binrev.com is running a web server already, and a dns lookup shows that binrev's ip address is i did the dns lookup with iptools.com: http://iptools.com/dnstools.php?tool=dns&a....com&type=A but then if you do a reverse dns lookup to see what the domain is associated with that ip address, you get unknown.carohosting.net, not binrev.com: http://iptools.com/dnstools.php?tool=rdns&...ta= i don't really know enough about how dns works to know exactly what unknown.carohosting.net is (other than a server that the company that's hosting binrev.com controls), but if you do a dns lookup for that domain the ip address is, not, which is the ip for binrev.com. so anyway, my point is, nmap automatically does reverse dns lookups for you if you supply an ip address, but those lookups might not actually be the domain name you're after. you can, however, just use the ip address of the server to access the website, and from there there might be clues to what domain name they're using. since binrev.com's ip is, check out but if you go to http://unknown.carohosting.net/ you get the same thing as going to, a blank page. anyway, if you want to see if web servers are installed in a block of ips using wildcards, you would so something like this with nmap. i didn't use wildcards, i just portscanned binrev.com's ip: ~$ nmap -sS -p80 Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-21 19:34 EST Interesting ports on unknown.carohosting.net ( PORT STATE SERVICE 80/tcp open http Nmap finished: 1 IP address (1 host up) scanned in 0.409 seconds this will do a stealth scan on port 80 (http, aka web servers) for whatever ip addresses you give it. if you do this with a range of ips, it will tell you which ones have web servers accessible to the internet on port 80, and you can access them by going to their ip address. hope this helps.
  11. i did google it, i just didn't realize that password lists for cracking were commonly called "word lists". if you search for "password lists" or "dictionary password lists" or any variation on that, you don't get anything. http://www.google.com/search?hl=en&q=%22password+list%22
  12. i'm playing around with hydra for the first time. it wants a list of usernames and a list of passwords to try. i can come up with a good list of usernames myself, but does anyone know any place to find a big comprehensive dictionary password list? i googled for quite some time and couldn't find one, and i'd rather not make my own (unless i combine several that i find). also, is it possible to make hydra brute force usernames and passwords rather than just checking against a list, or is there any other software that anyone knows of that does brute forcing on ssh2 and other such services? thanks!
  13. i've never done wireless sniffing in windows, but aircrack-ng is good linux software for sniffing traffic, using packet injection to get more IVs, and cracking WEP encryption. their website says they have a windows binary you can download: http://aircrack-ng.org/doku.php it might be hard getting windows drivers working for packet injection though. and yeah, i'd steer clear from netstumbler. kismet automatically detects netstumbler packets and tells you if there's a windows wardriver in the area. a book i've been reading, wi-foo, suggests writing a program that waits for netstumbler traffic then send out tons of fake response packets to confuse the windows user. basically, you can't trust the results, and it's not stealthy at all.
  14. i started with c/c++ for a couple years, and then moved on to php/mysql for web development, which is almost all i've programmed in in the last several years- not so much for hacking as for developing websites, but it's useful for both. i've also learned bits and pieces of lots of other languages on the way. if you want to focus on website hacking, i would suggest learning php and mysql databases, and practicing writing your own guestbooks and simple CMS's, and securing all the forms, and pen testing them yourself to see if you can get away with any sql injection or anything. also, ruby on rails is getting way more popular in the web dev scene, and i think in a couple years from now it'll dominate php, so that's a good thing to learn too. but for desktop applications, python sounds like a good choice. i think i might try learning it myself.
  15. i don't know, i'm really split on disclosure vs. selling/otherwise using vulnerabilities. my instincts say if it's a free software project, try for responsible disclosure, and if it's a proprietary project, milk it for everything its worth, but there are definitely exceptions for both.