Aug. 10, 1998
URL of the day: http://www.rsa.com/standards/ Info on Encryption
See back issues of the Happy Hacker Digest and Guides to (mostly)
Harmless Hacking at http://www.Happyhacker.org.
GTMHH en espanol: http://underhack.islatortuga.com
TABLE OF CONTENTS
**This week's posts**
* NT Local GetAdmin Exploit
* NT registry default settings recovery
* Re: Part 1, The Magical Mystical Crypto-Primer
* How to fix ICQ trojan horse
* Start Button and Recycle Bin
* Visual DialogScript
* Linux CD's for Cheap
* Empty the bin from Anywhere
* Angelfire problem/exploit
* How to find and get rid of Back Orifice
**This week's Questions**
* Mac question
**Answers to last weeks Questions**
* In reply to the question about .au domains in whois servers
* Answer to Reg file Question from GTMHH
*** NT Local GetAdmin Exploit
From: MJE <mark@NTSHOP.NET>
July 27, 1998, (NTSD) - Three gentlemen from India have been
kind enough to
reveal to The NT Shop (http://www.ntshop.net or http://www.ntsecurity.net)
serious hole in Windows NT systems (any version of Workstation
that readily grants the user complete membership to the Administrators
According to the discovers, this exploit works against all
WinNT, including WinNT 5.0 betas, and may also be possible against
controllers in certain circumstances -- this is yet unconfirmed
un-demonstrated as far as I know. Their sample program, SECHOLE.EXE,
exploits the *LOCAL* user database.
THE EXPLOIT, IN A NUTSHELL: by using existing Windows NT services,
application can locate a certain API call in memory, modify the
in a running instance, and gain debug-level access to the system,
then grants the currently logged-in user complete membership
Administrators group in the local user database.
The NT Shop has reported this problem to Microsoft -- we've
been in close
contact with their security folks since last week, and are told
a fix is
ready -- I suspect they'll release a bulletin in the next 24
For more information on the problem, as well as a brief interview
discovers and a working copy of the program demonstrating this
problem, visit our Web site where you'll find the page link at
the top of
the list in the left window frame.
http://www.ntsecurity.net or http://www.ntshop.net
*** NT registry default settings recovery
From: "Dennis Hettema" <email@example.com>
The following is not really hacking or stuph but it is a bit
alca-selzer for registry probs with an NT server.
One of the things I really like to do is play around with
but if your doing this too much you might (almost certainly will)
kinds of error message's and in other words you went a step to
Usually you'll have backups of the registry before you start
around in it, but if you sort of forgot to do this, try the following:
On the NT server in the
key remove all the values except:
When you restart NT it will automatically reconfigure all
stuff and optimize it with Microsoft's parameters.
[Dale - This key affects the Server service. If you mess with
you had better have a backup of your Registry...]
*** Re: Part 1, The Magical Mystical Crypto-Primer
From: "Panko" <firstname.lastname@example.org>
> ~~~~~~~~~~~~~~~~~~~~~~~~ Head Exercise ~~~~~~~~~~~~~~~~~~~~~~~~
> You can brute force a key of two digits in your head.
Get a friend to
>think of a two-digit number, and not tell you. Easy
to guess, right? There
>are only 99 numbers it could possibly be, so you count down
the list 'til
>you guess the right one.
No. There are 100 numbers it could be. You have
counted 01 through 99.
You have forgotten poor little 00. 00 counts too.
I hope you're not one of those people who think the next millenium
in the year 2000. There was no year 0, but there was a
*** How to fix ICQ trojan horse
From: Shaka <email@example.com>
Useful info for subscribers of the Happy Hackers Digest and
The ICQ trojan horse (the one I have is called ICQ_SRV) adds
itself as a key
your registry. I ran a virus scanner which did not detect it,
but found out how
toget rid of it. To check if you have it and/or fix it, do the
Go to HKEY_LOCAL_MACHINE.
Go to SOFTWARE.
Go to MICROSOFT.
Go to Windows.
Go to Current Version.
In the RunServices "folder", there will be a key
called "Explorer". This key
should NOT normally be there! If you find it, note the folder,
and if it is an
ICQ\Received Files folder ESPECIALLY, delete the key and restart.
Your computer should function normally, and you have defeated
the trojan horse.
Feel free to email me if this is somehow incorrect.
--Shaka-- aka Corky6921 or Corky
*** Start Button and Recycle Bin
From: "..." <firstname.lastname@example.org>
Hey there man!
First of all, I'd just like to tell the ppl out there how
their Recycle Bin, using their Registry (and yes, I do make backups
my files, :) ) To change the text label, just search for the
"Recycle Bin" in regedit and change it. Then to change
empty and full icons for the bin, click on the Recycle Bin's
icon key. Then change the icon in that setting. At the moment,
shell32, 31 (that 31 is the number icon in the shell file). I
the 31 to 41, which is a tree!
OK then, I already know how to change the text on the Start
explorer.exe, but I would just like to know if there is a way
registry or in the explorer.exe file to remove or make invisible
Start Button ??
Thanks for running a brilliant digest!!
*** Visual DialogScript
I want to tell you of this excellent programming language
a friend found.
It is called Visual DialogScript. It is like Visual Basic but
on one disk!!!
I dont know the URL for this program, but the company's name
is JM Technical.
I found this program excellent and entertaining.
[Dale: The url is http://www.vds.sade.net/index.htm]
You don't need programming experience although a little bit
of BASIC would help.
The help feature is excellent with tutorials and tons of sample
There is a 16-bit and 32-bit version. I have the registration
code, if anyone
would like it please email me.
I have written 2 programs already!! Without any teachers help;
and a friend
wrote a program that will check ur Juno mail automatically!!
Although, there is one minor problem. Whenver you compile
your program, you MUST include a file called dsrun.exe (which
can be found w/ the download) for the compiled file to run properly.
*** Linux CD's for Cheap
A quick note for all who keep making excuses instead of getting
Linux up and
running... NO MORE EXCUSES! :)
If all that downloading has got ya in a quiver, check out
http://www.linuxmall.com/ to get any of the popular releases
like, on a handy-dandy CD, for a whopping $1.49. And if you just
which release you like, heck, order 6 of the most popular releases
bucks! If you are worried about doing some damage to your new
20 bazilion gig
HD, check out the computer section at http://www.ebay.com/computers/
I just picked up a used 640 meg hard drive (plenty big for
Linux) for 37 bucks.
And finally, if you really want to go all out (like I had to),
do not be
spend the 45 dollars on "Linux Unleashed" by Sams Publishing.
I had seen it
mentioned in past Digests, and I can't begin to tell you how
worthwhile it has
been to pick up. If an 'eternal newbie' like myself can do it,
most of you can, and better than myself. Then, let the fun begin!
Keep on keepin' on
P.S.- I've been getting the Digest almost since it started,
and it is
the most worthwhile piece of e-mail I read. Thanks for the great
*** Empty the bin from Anywhere
From: Chin Yau <email@example.com>
Ever wish to empty your Recycle Bin everywhere by just right-clicking
on any icon? Cool huh? Here is the way to do it.
Start Windows Registry editor by running regedit.exe. Navigate
until we reach the location (which is the first on most machines)
Next, right-click the ContextMenuHandlers folder and choose
Key. When the new folder appears, type the following:
Note :- All "0" are the number 0 not the letter
After that, exit the Windows registry editor. Now when you
any file, you will have the option to empty the recycle bin.
*** Angelfire problem/exploit
From: "un none" <firstname.lastname@example.org>
I am not sure if this exploit has already been discovered
but I felt
that this should be known. In anglefire after you log in you
to a screen where you can choose what page to edit, delete, ect...
Well, if you view the document source it tells the full login
Now you say but how can I get this source. Well contact
the page owner
using icq, aim, mirc, or email and tell them that there page
hackable. Tell them to give you that screens source code
and you will
tell them if it is vulnerable. If you are trying to hack
hacking groups sight there is no chance this will work but I
on many people and only one knew the password was there (and
people I tested it on claimed to be elite hackers), and all but
me the source. Now if you have the source these are the
lines you want to
look for: (Depending on there ad etc... the
source is shorter or longer so it isn't on a specific line)
<input type="hidden" name="storage"
<input type="hidden" name="hpd"
<input type="hidden" name="password" value="elitepass">
The first line is the state they say they live in (note:its
in the sight
url) the second is the rest of the login and the third is the
-This was sent by \\//\\//rath
ps- if you get busted don't blame me
*** How to find and get rid rid of Back Orifice
From: James Strompolis <email@example.com>
Though not specific to NT security there has been much talk
about Back Orifice
lately. I've played around with it a bit and here is a
way to find it and get
rid of it.
Installs a 122k - 123k file called " .exe" in c:\windows\system
with a modified
date of 7/11/95.
blank to " .exe".
Transmits data on UDP Port 31337 - it's in the readme.
An attacker can modify these defaults to be anything they
like but if you check
the registry entries under
and find one you are not familiar with (not the task scheduler,
not a virus
etc) that runs a 122k - 123k file (does not have to be an exe)
c:\windows\system folder, it might be worth investigating further.
could probably be padded to be a different size or the code could
mutate its size to help hide it. There was some speculation
in some of the
reports that a virus detection program might be able to detect
Network Associates McAfee Virus Scan did not set off any alarms.
scanner will view the program's actions as suspicious?
Unless there are hidden "features" (still letting
it run behind a firewall
logging all traffic on the Back Orifice machine as a test to
see if there is
more to it) it is just a useful remote admin tool in a semi-GUI
box that can be
custom packaged to take advantage of existing Win9x security
Let me know if you've found more.
Aleph Consultants, Inc.
From: X-Force <xforce@ISS.NET>
ISS Security Alert AdvisoryAugust 6th, 1998
Cult of the Dead Cow Back Orifice Backdoor
A hacker group known as the Cult of the Dead Cow has released
95/98 backdoor named 'Back Orifice' (BO). Once installed
allows unauthorized users to execute privileged operations on
machine. Back Orifice leaves evidence of its existence and can
be detected and
removed. The communications protocol and encryption used
by this backdoor
has been broken by ISS X-Force.
A backdoor is a program that is designed to hide itself inside
host in order to allow the installing user access to the system
at a later
time without using normal authorization or vulnerability exploitation.
The BO program is a backdoor designed for Windows 95/98. Once
allows anyone who knows the listening port number and BO password
remotely control the host. Intruders access the BO server
using either a
text or graphics based client. The server allows intruders
commands, list files, start silent services, share directories,
download files, manipulate the registry, kill processes, list
well as other options.
All communications between backdoor client and the server
use the User
Datagram Protocol (UDP). All data sent between the client
and server is
encrypted, however it is trivial to decrypt the data sent. X-Force
able to decrypt BO client requests without knowing the password
and use the
gathered data to generate a password that will work on the BO
The way that BO encrypts its packets is to generate a 2 byte
hash from the
password, and use the hash as the encryption key. The first 8
bytes of all
client request packets use the same string: "*!*QWTY?",
thus it is very
easy to brute force the entire 64k key space of the password
compare the result to the expected string. Once you know the
value that will decrypt packets, it is possible to start generating
hashing random passwords to find a password that will work on
server. In our tests in the X-Force lab, this entire process
takes only a
few seconds, at most, on a Pentium-133 machine. With our tools
we have been
able to capture a BO request packet, find a password that will
work on the
BO server, and get the BO server to send a dialog message to
administrator and kill its own process.
Determining if BO has been installed on your machine:
The BO server will do several things as it installs itself
on a target host:
* Install a copy of the BO server in the system directory
(c:\windows\system) either as " .exe" or a user specified
* Create a registry key under
with the file name of the server file name and a description
either "(Default)" or a user specified description.
* The server will begin listening on UDP port 31337, or a UDP
specified by the installer. You can configure RealSecure
to monitor for
network traffic on the default UDP 31337 port for possible warning
In order to determine if you are vulnerable:
1. Start the regedit program (c:\windows\regedit.exe).
2. Access the key
Look for any services that may not have been intentionally installed
machine. If the length of one of these file is close to
124,928 (give or
take 30 bytes) then it is probably BO.
BO can be removed by deleting the server and removing its
If possible, you should back up all user data, format your hard
reinstall all operating systems and software on the infected
However, if someone has installed BO on your machine, then it
is most likely
part of a larger security breach. You should react according
to your site
Determining the password and configuration of an installed
1. Using a text editor like notepad, view the server exe file.
2. If the last line of the file is '8 8$8(8,8084888<8@8D8H8L8P8T8X8\8'8d8h8l8',
then the server is using the default configuration. Otherwise,
configuration will be the last several lines of this file, in
<filename><service description><port number><password>
<optional plugin information>
Back Orifice provides an easy method for intruders to install
a backdoor on
a compromised machine. Back Orifice's authentication and
weak, therefore an administrator can determine what activities
information is being sent via BO. Back Orifice can be detected
removed. This backdoor only works on Windows 95 and Windows
98 for now
and not currently on Windows NT.
© (c) 1998 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without
of X-Force. If you wish to reprint the whole or any part
of this alert in
any other medium excluding electronic medium, please e-mail firstname.lastname@example.org
The information within this paper may change without notice.
Use of this
information constitutes acceptance for use in an AS IS condition.
NO warranties with regard to this information. In no event shall
be liable for any damages whatsoever arising out of or in connection
the use or spread of this information. Any use of this information
the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html
well as on MIT's PGP key server and PGP.com's key server.
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
Please send suggestions, updates, and comments to:
X-Force <email@example.com> of Internet Security Systems,
From: Defiant <defiant@CYBERDEFIANT.DEMON.CO.UK>
A program called toilet paper has been released to remove
Its installed and searches for the program at start up. You can
it from www.sinnerz.com/tp.html or in the new files section of
www.genocide2600.com/~tattooman, hope it helps you all remove
-Life is just a dream on the way to death-
From: Ken Williams <jkwilli2@UNITY.NCSU.EDU>
Fresh Software <http://www.arez.com/fs/> has released
called AntiGen 1.0 that "detects, cleans, and destroys the
trojan. It checks the severity of the BOserve infection
and cleans each
of them - automatically, in a wizard interface."
It can be downloaded from Fresh Software at:http://www.arez.com/fs/antigen10.zip
I have provided a backup download location at:
File Size: 189k
Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
VP of E.H.A.P. Corp. http://www.ehap.org/
NC State Comp Sci Dept http://www.csc.ncsu.edu/ firstname.lastname@example.org
PGP DSS & RSA Keys: http://www.genocide2600.com/cgi-bin/finger?tattooman
*** Mac question
From: KMHCERBaker <email@example.com>
The only thing that I need to know now about hacking on a
How do I make files and folders invisible on my power mac?
*** In reply to the question about .au domains in whois
From: DungBeetle <firstname.lastname@example.org>
The whois servers for locations around the globe are:
American Registry for Internet Numbers - whois.arin.net
Server for European locations: whois.ripe.net
Server for Asia Pacific locations: whois.apnic.netFor US Military:
For US Government: whois.nic.gov
For US non-military and non-gov: whois.internic.net NOTE!!!
Whois.internic.net doesn't work the way this Digest says any
more. Instead, click here to
learn the new way to use it.
For the server on Australian locations use the Asia pacific
And if you don't want to use whois.internic.net, you can users.internic.net
Pratically the same, and I don't know any different. Probably
different companies, but I couldn't care less.
*** Answer to Reg file Question from GTMHH
From: MadMan <email@example.com>
A while ago Randy Hunt had a question about saving his newly
.reg files. He said that he edited it in Wordpad and that
if it was
saved, all formatting would be lost. You can fix this easily
editing the *.reg file in Notepad instead of Wordpad. You
rename it in Windows Explorer, File Manager, or DOS.
Hope this helps.
Unsubscribe with message
This is a list devoted to *legal* hacking! If you plan to
information in this Digest or at our Web site to commit crime,
Foo on you! Happy Hacker is a 501 (c) (3) tax deductible organization
in the United States operating under Shepherd's Fold Ministries.
This is all a plot to save your immortal souls!
For Windows questions, please write Roger Prata<firstname.lastname@example.org>;
for Macs, write Strider <Strider@clarityconnect.com>,
and Unix, write Josh Fritsch <email@example.com> or
Happy Hacker Digest editor: Dale Holmes <firstname.lastname@example.org>
Happy Hacker Grand Pooh-bah: Carolyn Meinel <>