Script Kiddie FAQ

All tutorials we have thought to write or that have been compiled that do not explicitly belong in another category.
Post Reply
User avatar
weazy
Ex-Admin
Posts: 1688
Joined: Sun Jul 07, 2002 10:02 am
Location: any given
Contact:

Script Kiddie FAQ

Post by weazy » Fri May 30, 2003 7:15 pm

A tongue-in-cheek training session (with some moderately useful hints and tips)


Disclaimer:

No comments in this FAQ should be taken seriously. This FAQ is merely provided for entertainment/educational purposes only. By following any of the advice found in this FAQ, you could possibly go to prison and owe millions of dollars in legal fees and settlements. Blah Blah Blah .You assume any and all risk.



Statement: The purpose of this document is two-fold. One to show how easy it is to be a script kiddy (or Big-5 "Security Consultant"), and the second is to show network admins out there how easy it is for their servers to be exploited. Hopefully the admins out there will open their eyes and at least apply the necessary patches.



Introduction:

The first thing we should do in this article is define the term "script-kiddy". A script kiddy is one who knows nothing more then what is necessary to run scripts, these scripts are always created by someone else. Antioffline.com has an excellent RFC (Request For Comments) on script kiddies, which you should read now. Click this link to open the RFC (RFC-31337) in a new window and read it before continuing, you'll be glad you did.

If we define a script-kiddy as someone who knows nothing more then tools (ie. scripts) and not how or why they work, then you will understand why this article is called "Being a script kiddy FAQ", Netflood obviously does not have the time nor the resources to delve into every detail of why and/or how things occur. Being a "hacker" is more about the willingness to experiment, learn technologies and push the boundaries of that technology, not change the index.html file on a web server. But the real reason we put this document together was to hopefully cut down on the amount of useless questions that clog many of our email boxes.



"I visited attrition.org, securitynewsportal.com, and infosyssec.com ... and I still have no clue"



Well you're off to a pretty good start, these are all great resources. You still need to visit some other sites such as: antioffline.com, Packetstorm, and of course Netflood (you're here already).



Lessons from the underground:

1. Do not believe anything you read from antionline.com or happyhacker.org

Why: Because they are media hounds and will pretty much say anything for attention, right or wrong. They are also utter wastes of time and you will probably learn more by staring at a blank computer screen for three hours.



2. If you are on a modem do not try to DOS attack (discussed below) yahoo's, AOL's, or Microsoft's web servers. Unless you have rooted many boxes on the internet and installed distributed DOS agents, you will have no effect on them.

Why: Because the large providers have many multiples of servers (load balanced) with larger session tables then you have (session tables are determined by memory allotment), they also typically have OC connections to the internet (a 56k modem typically gets 53,000BPS or less while an OC-3 gets 155,000,000bps), it's basically like trying to flood an empty pool by spitting water in it (through a drinking straw)



3. If you have graduated to l337n3ss and have nmap running on your box and you are about to scan a host, DO NOT decoy yourself with yahoo.com.

Why: Because when you are scanning a host, the hosts admin (or firewall admin) will look and see 10 scans from yahoo.com and 1 from dialin-389.SD.california.aol.com, he might just be able to figure out which one is the real one and which are the decoys.



4. Do not go to any of the IRC "hacker" channels.

Why: While there are some exceptions; mostly it is just people sitting around saying nothing except when they can make fun of someone or repeat technical details from a book they have in front of them to make themselves look l337. BUT if you do deface a web server or do anything else that is illegal, l337 h4x0r law states that you must immediately go to an IRC server (channel: hackers or hacker or 2600), and immediately tell everyone what you did, where you did it, and how you did it. Don't worry; law enforcement agencies (or security companies) never monitor these rooms and everyone on the IRC server will be scared of your l337 skillz and would never rat you out to the cops (ahem.... mafiaboy).



5. Do not ask questions if you have not spent at least the last 10 hours looking for the answer.

Why: No one was spoon-fed any infosec knowledge (except maybe the big-5 accounting firms "security" consultants) and what they were spoon-fed is extremely minimal. While this does not apply to all of the Big-5 security consultants, it would be safe to say it does apply to 99.9% of them. You on the other hand will have to go through what everyone else has. This document will put you at least their level, perhaps higher depending on your previous knowledge.



6. If you are a network admin somewhere and you are looking for a security consultant, do not hire anyone from a "big-5" consulting firm.

Why: See answer above.



7. The Internet is not anonymous, when you do something it can almost always be traced back to you. Hence; it might be extremely important for you to learn how to spoof your traffic, telnet redirect, proxy, and phreak your way to anonymity. If you do not do any (recommend multiple) of those aforementioned tactics you will surely get caught.



8. You don't know that many lessons, and one you do not know will surely get you caught and sent to prison.

Why: Because there are people who spend every waking minute of their life thinking about, dealing with, and getting paid to know as much as possible and they were once where you are now, only they found out everything the hard way. Unless you personally have written and tested a tool that exploits an unknown vulnerability, will not be logged or detected by IDS', be very careful what you do and to whom you do it to.



"OK I'm bored, get to the good stuff - how do I do something fun?"

1. Install Linux*, I personally recommend Redhat 7.1 because I have had little trouble with it. There are other OS's out there which are extremely valuable (OpenBSD** comes to mind), the problem is the BSD OS's typically do not support as much hardware. Also because Redhat is the most widely used version of Linux, you will have less difficulty with library compatibility issues, etc. You will also be able to install a lot of useful tools and scripts using the Redhat Package Manager or RPM***. RPM's make installs extremely easy. Well ./configure, make, make install is easy too but RPM's are generally painless and generally only require one simple command: rpm -i *Name*.rpm

* if you are against installing and/or learning Linux/*nix variant please stop reading now and go away. It is a must have.

** OpenBSD is the hacker 1337 OS of choice because it takes the most *nix expertise to install and configure. RedHat and Mandrake are ridiculed by the true 1337 of the hacker community because it is the easiest to use (to use a rough analogy, OpenBSD is to RedHat as DSL is to AOL) However, for this reason, RedHat is the best choice for new *nix users.

*** RPM's can be found relatively easily by going to rpmfind.net



2. Even before installing Linux, please for the sake of humanity try to read at least one book on one of the following topics

A.) Networking [essentials and/or routers] - you should at least be able to install, configure, and troubleshoot a network interface card, modem, or connection.

B.) programming (any language - preferably C, PERL, and shellcode)

C.) Linux/*nix or any other OS (including MS)



You cannot be a REAL hacker if you do not even know the simple and elementary commands (such as ftp, telnet, or ping). If you script your way into an NT server do you know how to delete the logs? Did you even guess it might be important to do that? If not, read some more books unless you've always had a desire to be a man-toy for a big bald guy named "Bubba" (your future cellmate).



3. After you have installed Linux, a smart thing to do would be to lock down your box, but hey your "l337", no one will hack you if they know what's good for them, it's time to start downloading some tools. Many people who scan subnets looking for netbus, etc will usually have the server installed on their box because when they first installed netbus they thought having the server portion would be better then having the client. You are not that stupid though and no one on your network has more experience in this stuff then you.



4. If it didn't install automatically, download the NMAP RPM, and play with it for a little bit. Scan the IP address of an internal host (that you have permission to scan) or be truly l337 and look at your black ice logs and see the IP address of the last person that scanned you and scan them. Don't worry if they spoofed the IP address, you are mad and they deserve it.



"Well scanning is good but who cares what ports the person has open, I want to hack."

Answer: It's useful to know what ports the host has open, ports = services, and services generally equal vulnerabilities.



5. Inevitably every script kiddy always wants to know how to perform a DOS attack, so we will of course have to install a script. No good script kiddy should ever be without a DOS attack in their arsenal. In fact; let's SYN flood that spoofed IP address of the person that scanned you. They should never have messed with you in the first place.



Download synk4.c from netflood or from packetstorm. It's important to note that synk4.c can't be used for anything useful like testing session tear-ups or tear-downs on Load balancing switches (like Foundry or Alteon) or for testing spoof rules on gateways, or for validating SYN-flood protection software/hardware (like Checkpoint's SynDefender module). It is solely made just to attack people who are less l337 then yourself.



Compile synk4.c by typing gcc -o synk4 synk4.c the truly l33t will just type cc -o synk4 synk4.c now we simply type ./synk4 0 *VICTIM-IP* low/high (0 = spoofed source addresses and Low/high equals ports you will send traffic to)



"Yay, you are now a true script kiddy in every sense of the word. But wait.... a couple more things and you will be l337 enough to be a big-5 accounting firm "security" consultant and make money off people who are less l337 then yourself !!!!!!!!



Advanced Script-Kiddy tools



The first thing you have to do is download a trial version of ISS Scanner or Axent NetRecon or Cybercop scanner. Then head off to astalavista.com to look for the crack for it. Don't worry, it is perfectly legal to crack demo software, after all, if the company wanted you to pay for their software, they would never have offered a demo in the first place. They also will not sue the piss out of you if they catch you using their software illegally.

What can I do with this?: These are the most important tools to learn if you are going to work for a "Big-5" consulting firm as a "security" consultant. Companies will pay these "Big-5 consultants" to do penetration tests or audits and all the big-5 "security consultants" do is run one of the scanners mentioned above, print a canned report, and send it off to the client for a very large fee. The client not any smarter then the Big-5 consultants will not realize they could have had the exact same documentation by simply taking the time to download one of these demo scanners. The difference is: the demo is free, they are easy to use (run them in GUI in any Windows OS), and an audit by a Big-5 accounting firm = 20k +.



The second thing you should do (especially if you have a cable modem, etc) is download the dsniff RPM (Redhat Linux 7.1 includes it). Simply run dsniff -w scan.txt (this writes sniffed sessions to a file named scan.txt) ... come back about 15 minutes or an hour later and type the command dsniff -r scan.txt (which reads the file). You will then see every unencrypted authentication that occurred on your network and have numerous passwords and usernames. Yay, you can now open up other peoples email and generally make an ass out of yourself, because you are a truly l337 h4x0r.

Note: This tool cannot be used for anything useful like going to your management with their passwords and explaining to them the problem with unencrypted authentication/services/protocols.



"BUT ....Wait.... I can't hack a web server with this knowledge, and in order to be truly l337 I must be able to deface web pages..."

Ok you are right... you cannot be truly l337 (or engage in the China Vs. USA "hacking" war) unless you know how to deface web pages. The first thing you need to do is look for Microsoft IIS web servers. An easy way to do this is just to surf the web and look for web pages you want to deface. Then ping the web server to find out its IP address (there are easier ways to do this but you can't be bothered with that cuz you are a l337 h4x0r about to make your entrance into the underground). When your defaced page makes it on attrition.org and it's an IIS server, all the hackers will admire your l337 phj34r m3 h4x0r skillz and you will get a $95,000 a year job offers from companies like ISS (X-force), @stake, or maybe even the NSA (cuz the government always needs l337 h4x0rz who can deface web pages). To increase the chances of being offered a job, it's very l337 to mention you used the unicode exploit to get into the web server because no one currently defacing web pages has ever heard of this vulnerability. It is also extremely l337 to leave an email address and a note to the administrator saying he can email you to get the fix (Warning: you must know how to fix these vulnerabilities in order to do this). The administrator will be extremely grateful for your help and would never call a "real" security company, when they could call a l337 h4x0r such as yourself. If they do not call you keep breaking into their server because they will never ever catch you, you are l337.

.

now telnet to the servers IP address port 80- (ex. #telnet IPADDRESS 80) and type in get / http/1.1 or you can just download sam spade and it will do the same thing for you but with a pretty GUI. Real hackers like pretty GUI's and don't do anything at the command line.

Now after we enter the get command we should see output that looks like this



HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Connection: close
Content-Location: http://www.Something.com/Default.htm
Date: Sat, 05 May 2001 15:55:25 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Sat, 05 May 2001 05:27:27 GMT
ETag: "e8c7721224d5c01:87c"
Content-Length: 18926

"Blah Blah Blah Connection Closed blah blah blah"



YAY... we found an IIS server. Don't worry, it is definitely an IIS server because no one out there would ever change a banner to make it hard for l337 h4x0rz to figure out what web server software is running. Now download a Unicode exploit script from Netflood or Packetstorm... preferably unicode_shell.pl or download the Chinese version of Unicode.pl which also includes the l337 MSADC exploits!



now type this in:

./unicode_shell.pl

enter the hostname you want to exploit (ex. http://www.anyIISserver.com)

enter the port number: Which is typically 80



the program will then generate a list of vulnerabilities it found for that web server.

for example:

UNICODE exploit #1 ........ not vulnerable

UNICODE exploit #2 ........ not vulnerable

UNICODE exploit #3 ........ not vulnerable

UNICODE exploit #4 ........ VULNERABLE



when its all done it will ask what vulnerability you want to use: just type the number of whatever exploit it is vulnerable to. In this example we would type the number 4.



We now have a command shell in the web server... from there it is all fun and games. Hope you read a book on remote NT commands or that you at least know DOS commands. Change the index.html to whatever you want and leave the server. Hopefully you remembered to spoof your IP address and delete the logs or you will be getting a call from the local police department first thing in the morning.

Note: If it was a Chinese server, do not worry about it, no one is an innocent over there and you are only boosting your chances of getting a job at the NSA.



You are now a full-fledged script-kiddy/l337 h4x0r and can deface web pages and say a bunch of weird shit that no one cares about and go on your little tangent about how l337 you are. In fact, now would be a good time to go on IRC and brag about your l337 skillz, fight with someone, and then go deface a web page and curse at that person who you are much l3373r then. You can also take some of the scripts you downloaded and after bartering for hours, can trade them on IRC for other scripts from h4x0rz as l337 as you. These scripts are also freely available on the Internet, at any time.



You are l337.



Note:

This document was put together during the over hyped cyber-war between China and the US. After going to bablefish and translating most of the Chinese hackers sites, it was evident that the Chinese must be distributing this paper throughout their nation. It makes me laugh that the war is waged using unicode scripts. I would think that a "war" would be waged with custom created and never used tools, but I obviously gave far too much credit to those engaging in this "war"..... my bad. It also never occurred to me that those reading this document could be "fighters for freedom" -LOL



Conclusion:

While attempting some of this, you may have noticed details we left out. That was not by accident...
--The Devil is in the Details--

Post Reply